Base on the error log, it seems like they are using protocol specific for the crypto ACL, however, with ASA, the crypto ACL needs to exactly mirror image the remote peer.
So if they are configuring ICMP as the protocol, you would also need to configure the same on the ASA.
Typically crypto ACL is "permit ip ", is there anyway you can ask Amazon VPC to configure policy with IP between subnet to subnet (mirror image from ASA crypto ACL)?