IoT Core Policy - Get/UpdateThingShadow with named shadow leading to 403 errors when using aws.greengrass.ShadowManager.

Hi,

I have a Greengrass core device registered with IoT Core (Thing name: M111234). This device is running a custom Greengrass component that makes use of aws.greengrass.ShadowManager to read/update a custom named shadow called 'MyCustomShadow'.

I believe I have setup our IoT Core policy correctly to allow ShadowManager access to sync this named shadow, but when testing, I get 403 status errors in the ShadowManager logs, which I'm interpreting as the device not being authorised to work with the named shadow ('classic' shadow seems unaffected).

I'd be very grateful if someone could provide an example IoT Core policy below that would ensure this device can Get/Update this named shadow? I know SM uses both MQTT and HTTP to work with shadows, and this has led me to become a bit confused about what the minimum policy rules should be to support these actions?