Malformed iamRoleStatements when using Fn::GetAtt

I’m trying to create a lambda with SQS event triggers. The SQS services are specified in my Resources section and create correct when I deploy, however referencing them in the iam section fails with the following message:

An error occurred: IamRoleLambdaExecution - Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: e49d9ccd-0f5d-4333-acb8-f1f3704942f6).

N.b. when viewing the event in CloudFormation no further information to help triage the issue is displayed.

I’m using Fn::GetAtt: to get the queue ARNs. Below is the iamRoleStatements section of my serverless.yml:

iamRoleStatements:
   - Effect: Allow
     Action:
       - sqs:ReceiveMessage
       - sqs:DeleteMessage
       - sqs:GetQueueAttributes
       - sqs:SendMessage
     Resource:
       arn:
         Fn::GetAtt: [SQSQueuePublisher, Arn]
   - Effect: Allow
     Action:
       - sqs:ReceiveMessage
       - sqs:DeleteMessage
       - sqs:GetQueueAttributes
       - sqs:SendMessage
     Resource:
       arn:
         Fn::GetAtt: [SQSQueueSubscriber, Arn]
   - Effect: Allow
     Action:
       - sqs:ReceiveMessage
       - sqs:DeleteMessage
       - sqs:GetQueueAttributes
       - sqs:SendMessage
     Resource:
       arn:
         Fn::GetAtt: [SQSQueueReducer, Arn]

Any help greatly appreciated here as I’m struggling to make progress!

Cheers.