It seems the AWS Lambda console and the Kinesis docs disagree on the set of required permissions for a x-acct enhanced-fanout subscriber.
This[1] doc says one thing, this[2] says another and the console says a third.
[1]: docs.aws.amazon.com/streams/late...
[2]: docs.aws.amazon.com/streams/late...
