Federated Identity authenticated role - custom claims?

Hello,

I am using a pre-token generation trigger to add some custom claims into a user's JWT token. One of the custom claims I am adding is "business_id" which maps a user as belonging to a particular business in my multi-tenant SaaS app.
NOTE: this is not an editable cognito user pool custom attribute. This JWT claim is added programmatically as described above using a pre-token generation trigger.

In the Authenticated role I can restrict access to an S3 path based on each user's unique ID (Cognito sub) using this variable in my IAM policy:

${cognito-identity.amazonaws.com:sub}

Like so:

{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:HeadObject",
    "s3:PutObject"
  ],
  "Resource": [
    {
      "Fn::Join": [
        "",
        [
          "arn:aws:s3:::",
          { "Ref": "S3Bucket" },
          "/user/${cognito-identity.amazonaws.com:sub}/*"
        ]
      ]
    }
  ]
}

Is there a way to do something similar with a custom claim? Like my example of having a "business_id" custom claim? I need all my users that belong to the same business (id) to have access to the same S3 path.
I tried replacing the IAM template variable using 'sub' with 'business_id' but it did not work, I still get access denied.

${cognito-identity.amazonaws.com:business_id}

I know there is a way to map an IAM role to a authenticated user, but this approach would mean I could end up needing 100s or 1000s of IAM roles whose only difference would be the "business_id" value being hardcoded into the S3 path to allow access for.
Again, business_id is not an editable Cognito user pool custom attribute. So, I shouldn't need to worry about a user's business_id changing and giving them access to resources that they should not have access to.

All help and ideas are very appreciated!
Thanks!
Erik

Edited by: paulsson-cs on Feb 27, 2020 12:35 PM