Trouble using GetAtt or Fn::Join in s3 bucket policy - An error occurred: MyBucketPolicy - Invalid bucket policy syntax

aws

#1

I’ve tried a bunch of different ways, Fn::Join, Get:Att, but upon deployment it fails with "Invalid bucket policy syntax"
Any idea what’s going wrong? After reading some forum posts and the wiki I’m pretty sure I’m doing it right.
Any help would be greatly appreciated, thanks!
Here’s the resources section of my serverless.yml

resources:
  Resources:
    MyBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:custom.bucket}
        AccessControl: 'PublicRead'
    MyBucketPolicy:
      DependsOn: MyBucket
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket:
          Ref: MyBucket
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Sid: AllowPublicRead
              Effect: Allow
              Principal: '*'
              Action:
                - s3:GetObject
              Resource:
                "Fn::GetAtt":
                  - MyBucket
                  - Arn
            - Sid: AllowLambdaPutObject
              Effect: Allow
              Principal:
                "Fn::GetAtt":
                  - IamRoleLambdaExecution
                  - Arn
              Action:
                - s3:PutObject
                - s3:PutObjectAcl
              Resource:
                "Fn::GetAtt":
                  - MyBucket
                  - Arn

#2

Principal AWS is an array/

        Principal:
          AWS:
            - "Fn::GetAtt":
              - IamRoleLambdaExecution
              - Arn