role
Parameters
value
The ARN of the IAM role that you want the delivery stream to use to create endpoints in the destination VPC. You can use your existing Kinesis Data Firehose delivery role or you can specify a new role. In either case, make sure that the role trusts the Kinesis Data Firehose service principal and that it grants the following permissions:
ec2:DescribeVpcsec2:DescribeVpcAttributeec2:DescribeSubnetsec2:DescribeSecurityGroupsec2:DescribeNetworkInterfacesec2:CreateNetworkInterfaceec2:CreateNetworkInterfacePermissionec2:DeleteNetworkInterfaceIf you revoke these permissions after you create the delivery stream, Kinesis Data Firehose can't scale out by creating more ENIs when necessary. You might therefore see a degradation in performance.