Issues getting cross account subscription for CW/Kinesis

Hello,

Greetings for the day!

From the query description, I understand that you are getting the following error when creating a log destination by following the documentation and were stuck on Step 7. "An error occurred (InvalidParameterException) when calling the PutDestination operation: Could not deliver test message to specified destination. Check if the destination is valid". You would like to know the reason on what could cause this issue. Please feel free to correct me if I misunderstood your concern.

As per error description wording, "PutDestination operation: Could not deliver test message to specified destination. Check if the destination is valid" it mostly seems to be permission related issue and it can mostly happen whenever the Kinesis DataStream is encrypted with KMS and hence here the PutDestination API call also would need KMS access inorder to write the CloudWatch logs to the Kinesis DataStream. The IAM role used to create the destination should have KMS permissions. Please refer [1] for more information on it.

For detailed investigation, I would need to check whether the Kinesis stream is in the active state and whether the IAM role and destination policy is configured correctly or not, which I unable to check as I do not have the information of the resources with me. So, on a best effort basis, I have provided you general guidance regarding your query. To deep dive into this issue, we would need to check the resources and the permissions configured on them to proceed further.

In case, if you still have queries regarding this, I would like to request you to reach out to the support team, with all the resource details via Support console and we will investigate the same in detail.

Hope the information provided above is helpful.

Have a great day ahead!

---

References:

[1] Permissions to Use User-Generated KMS Master Keys - https://docs.aws.amazon.com/streams/latest/dev/permissions-user-key-KMS.html