Example using subscription filter for StateMachine execution fail (delivery to kinesis data stream)

serverless.yml

resources:
  Resouces:
    SmSubscription:
      Type: AWS::Logs::SubscriptionFilter
      Properties:
        LogGroupName: !Ref StateMachineLogGroup
        FilterPattern: ExecutionFailed
        DestinationArn: !GetAtt [JobFailureEventStream, Arn]
        RoleArn: !GetAtt [KinesisSubscriptionRole, Arn]
    JobFailureEventStream:
      Type: AWS::Kinesis::Stream
      Properties:
        Name: ${self:service}-${self:provider.stage}-error-events
        ShardCount: 1
    KinesisSubscriptionRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: ${self:service}-${self:provider.stage}-delivery-logs-role
        AssumeRolePolicyDocument:
          Statement:
            - Action: "sts:AssumeRole"
              Effect: "Allow"
              Principal:
                Service: !Sub logs.${AWS::Region}.amazonaws.com
              # Condition:
              #   StringLike:
              #     "aws:SourceArn": !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*"
    KinesisSubscriptionRolePolicy:
      Type: "AWS::IAM::Policy"
      Properties:
        PolicyName: ${self:service}-${self:provider.stage}-delivery-logs
        PolicyDocument: 
          Statement:
            - Effect: "Allow"
              Action: 
                - "kinesis:PutRecord"
              Resource: !GetAtt [JobFailureEventStream, Arn]
        Roles:
          - !Ref KinesisSubscriptionRole

Condition の部分はコメントアウトすると Policy syntax error で弾かれる。

どうしたらいいのかまだわかってないのが、いったん放置