The goal is to create a policy that allows S3 upload, but only to a subfolder with a name of uploader's Cognito sub identifier: upload-bucket/${cognito-identity.amazonaws.com:sub}/*. As described here.
I'm trying to create the proper policy with help of the IAM Policy Simulator.
Here's the problem that I face:
I don't understand the error, so I have no idea where to go from here.
