Creating function policy using SAM

Hi there,

What would be the fastest way to attach function policy to Lambda?

I hoped that we can do it while creating Lambda:
(allow Lambda to be invoked only by Cognito)

Resources:
  SomeFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: URL
      FunctionName: SomeFunction
      Policies:
        - Statement:
          - StatementId: AllowToInvokeFromCognito
            Effect: Allow
            Action: lambda:InvokeFunction
            Principal: cognito-idp.amazonaws.com

But I gor errors about malformed policy.
Do I need to first create role?