The IAM role associated with the VPC Flow Log does not assign the correct policies for the flow log service to be able to write to the log group, only create it. It also tries to use the KMS key for the parent bucket, which it does not need to use (and does not have access to use) for CloudWatch purposes.