Functionbeat fails to update with a new cloudwatch log group Could not execute the lambda function

We had functionbeat running and i had to remove and recreate it, however im getting the following errors:

{"log.level":"info","@timestamp":"2022-09-23T13:55:44.066+0100","log.logger":"aws","log.origin":{"":"aws/op_cloudformation.go","file.line":97},"message":"Stack event received, ResourceType: AWS::Logs::SubscriptionFilter, LogicalResourceId: fnbcloudwatchSFawslambdanfttransposeprodmain, ResourceStatus: CREATE_FAILED, ResourceStatusReason: Resource handler returned message: \"Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function. (Service: CloudWatchLogs, Status Code: 400, Request ID: 56335ff6-e8d8-4536-bbfa-44f72d15426f)\" (RequestToken: a0b9b8fc-e348-398b-dd38-dc91cabcb2ab, HandlerErrorCode: InternalFailure)","":"functionbeat","ecs.version":"1.6.0"}

I dont know why it fails, it suggests to check permissions but i dont believe that is the issue as im able to add log groups sometimes and other times i get this error. Once i get this error, the functionbeat is in an unrecoverable state and i can no longer rollback/update. I have to remove and redeploy and start again.

functionbeat 8.2.2