roleArn
The ARN of the IAM role that the delivery stream uses to create endpoints in the destination VPC. You can use your existing Firehose delivery role or you can specify a new role. In either case, make sure that the role trusts the Firehose service principal and that it grants the following permissions:
ec2:DescribeVpcsec2:DescribeVpcAttributeec2:DescribeSubnetsec2:DescribeSecurityGroupsec2:DescribeNetworkInterfacesec2:CreateNetworkInterfaceec2:CreateNetworkInterfacePermissionec2:DeleteNetworkInterface
If you revoke these permissions after you create the delivery stream, Firehose can't scale out by creating more ENIs when necessary. You might therefore see a degradation in performance.