One of the projects that I am working on right now involves writing automation to deploy and configure AWS GuardDuty for a large organization with a delegated security account to manage GuardDuty. While we do not use all the regions across all accounts, some accounts do use them, so we need to make sure that we are monitoring them. When I tried to run my terraform, I got an error.

│ Error: Creating GuardDuty publishing destination failed: BadRequestException: The request failed because the GuardDuty service principal does not have permission to the KMS key or the resource specified by the destinationArn parameter. Refer to https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "b6871f10-6418-4495-992f-5e84ba4200d4"},
│   Message_: "The request failed because the GuardDuty service principal does not have permission to the KMS key or the resource specified by the destinationArn parameter. Refer to https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-s3-policies",
│   Type: "InvalidInputException"}
│
│   with module.af-south-1.aws_guardduty_publishing_destination.pub_dest,
│   on modules/guardduty/main.tf line 14, in resource "aws_guardduty_publishing_destination" "pub_dest":
│   14: resource "aws_guardduty_publishing_destination" "pub_dest" {
│
╵
╷

The solution to the problem was provided in the referenced web page, I did not catch it the first time I read through it, so I figured I’d share the solution here. For the opt-in regions, you need to include the region in your service permissions, so for my KMS key and S3 bucket I needed to change my principals block from

principals {
      type = "Service"
      identifiers = ["guardduty.amazonaws.com"]
    }

to

principals {
      type = "Service"
      identifiers = ["guardduty.amazonaws.com",
        "guardduty.me-south-1.amazonaws.com",
        "guardduty.af-south-1.amazonaws.com",
        "guardduty.ap-east-1.amazonaws.com",
        "guardduty.ap-southeast-3.amazonaws.com",
        "guardduty.eu-south-1.amazonaws.com"
      ]
    }

With that, everything deployed correctly.