Can log destination work with KMS encrypted kinesis streams


I am following AWS CloudWatch Logs - Setting up a new cross-account subscription and I been able to get WAF logs from Account A to flow through to my Opensearch Cluster in Account B using the Documentation.

But I want to extend it so that everything is doing Encryption at Rest or Server Side Encryption, but I am having an issue when I try to create a log destination where I get an error saying "Check if the destination is valid".

I have the following setup:

Data stream with Server-side encryption using KMS managed key

IAM role called CWLtoKinesisRole with the following trusted Policy:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": ""
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"

and the following policy:

    "Statement": [
            "Action": "kinesis:PutRecord",
            "Effect": "Allow",
            "Resource": "arn:aws:kinesis:us-east-1:123456789123:stream/logs-recipient",
            "Sid": ""
            "Action": [
            "Effect": "Allow",
            "Resource": "arn:aws:kms:*:123456789123:key/*",
            "Sid": ""
    "Version": "2012-10-17"

Then when I run:

aws logs put-destination \
    --destination-name "testDestination" \
    --target-arn "arn:aws:kinesis:region:123456789123:stream/logs-recipient" \
    --role-arn "arn:aws:iam::123456789123:role/CWLtoKinesisRole"

I get cloudwatch log destination: InvalidParameterException: Could not deliver test message to specified destination. Check if the destination is valid

Any direction on what I am missing here would be great,



已提問 2 年前檢視次數 581 次
1 個回答

So I figured it out, while the trusted policy allows for you to have:

"StringEquals": {
                    "aws:PrincipalOrgID": "o-12345"

PrincipalOrgID isn't allowed for "Service": ""

Which is less then great, so I have to have the following and update everytime a new account is added to our Org:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": ""
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:SourceArn": [

Which you can see a lot of accounts.

已回答 2 年前
  • Thanks WonderPhil. I spent hours on this yesterday as I had done exactly the same as you with the organization id in the trusted policy. Removing it got it working. Nice one.

您尚未登入。 登入 去張貼答案。

