GuardDutyCreatePublishingDestinationCommand creation fails with InvalidInputException

[ggipson2]

Describe the bug We manually added a new AWS account to our Organization, added the necessary LZA config, and ran this pipeline. When running the AWSAccelerator-Pipeline, it runs until it reaches the Deploy stage and fails on the Security step with this error:

AWSAccelerator-SecurityStack-*-us-east-1 | 7:07:00 PM | CREATE_FAILED | Custom::GuardDutyCreatePublishingDestinationCommand | GuardDutyPublishingDestination/Resource/Default (GuardDutyPublishingDestination52AE4412) Received response status [FAILED] from custom resource. Message returned: InvalidInputException: The request failed because you do not have the required permissions for the s3:GetObject or s3:ListBucket actions.

The new account is in the same OU as our other workload accounts and we did not experience this error with those.

To Reproduce Error occurs every time we run the pipeline since adding the new account.

Expected behavior Pipeline runs successfully.

Please complete the following information about the solution:

• [1.4.3 ] Version: [e.g. v1.1.0]

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0021) - Video On Demand workflow with AWS Step Functions, MediaConvert, MediaPackage, S3, CloudFront and DynamoDB. Version v5.0.0". If the description does not contain the version information, you can look at the mappings section of the template:

Mappings:
  SourceCode:
    General:
      S3Bucket: "solutions"
      KeyPrefix: "video-on-demand-on-aws/v5.0.0"

• [ ] Region: [e.g. us-east-1] us-east-1
• [ ] Was the solution modified from the version published on this repository? No
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [ ] Have you checked your service quotas for the sevices this solution uses? Yes
• [ ] Were there any errors in the CloudWatch Logs? CloudFormation logs were same seen in pipeline

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

[bo1984]

Hi Grant! Thank you for using the Landing Zone Accelerator on AWS solution. Given the error you've provided, it looks like the root cause of this is due to an issue with the lifecycle rule removing the GuardDuty prefix. To confirm this behavior, please run the following command for your Logging account.

aws s3api get-object-acl --bucket aws-accelerator-central-logs-<your-account>-us-east-1 --key "guardduty/"

If you receive a NoSuchKey error, then the object representing the folder most likely got deleted by a lifecycle. If this is the case, we have this bug addressed in our upcoming v1.5.0 release. In the meantime, you should be able to recreate this prefix, then re-run your pipeline.

If you're receiving a response back from the aforementioned API call, then please let me know and I can dig further for you.