[BUG][Functional] CloudFront Monitoring Metrics Blocked by Service Control Policy in Workload Accounts

[MaxWardle]

Bug reports which fail to provide the required information will be closed without action.

Required Basic Info

• Accelerator Version: v1.5.6-a
• Install Type: Upgrade
• Upgrade from version: v1.5.5

Describe the bug When logged into a workload account with administrator access, and attempting to view CloudFront monitoring metrics I get an error message telling me "To view this widget you need cloudwatch:GetMetricData with an explicit deny in a service control policy permission."

Failure Info

• What error messages have you identified, if any: "To view this widget you need cloudwatch:GetMetricData with an explicit deny in a service control policy permission."
• What symptoms have you identified, if any: I cannot view CloudFront monitoring metric data in a workload account under the SEA's SCPs

Required files

• Please provide a copy of your config.json file (sanitize if required)

Steps To Reproduce

1. In a workload account (prod, dev, test) go to CloudFront and create a distribution.
2. Click on the distribution and click on "View metrics" in the top right hand corner
3. See the error message above on the widgets that should show the data (see screenshot below)

Expected behavior Be able to view the CloudFront metrics data with Admin privileges in the SEA's workload accounts.

Screenshots

Additional context Add any other context about the problem here.