[BLOCKED] Accounts Stage failing consistently

[richardkeit]

Describe the bug

To Reproduce security-config.yaml:

---
centralSecurityServices:
  enable: true

global-config.yaml:

---
homeRegion: &HOME_REGION ap-southeast-2
enabledRegions:
  - *HOME_REGION

Expected behavior Service Linked role created with no issue

Please complete the following information about the solution:

• [x] Version: 1.10.0.

To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.

• [x] Region: ap-southeast-2
• [ ] Was the solution modified from the version published on this repository?
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [ ] Have you checked your service quotas for the services this solution uses?
• [] Were there any errors in the CloudWatch Logs?

Screenshots

Additional context From Cloudtrail

{
  "eventVersion": "1.08",
  "userIdentity":
    {
      "type": "AssumedRole",
      "principalId": "YYYYYYYYYY:AWSAccelerator-AccountsSt-AccessAnalyzerServiceLin-fDSJRN0zo8BP",
      "arn": "arn:aws:sts::XXXXXXXX:assumed-role/AWSAccelerator-AccountsSt-AccessAnalyzerServiceLink-xfpSRjsIzuZZ/AWSAccelerator-AccountsSt-AccessAnalyzerServiceLin-fDSJRN0zo8BP",
      "accountId": "XXXXXXXX",
      "accessKeyId": "ASIA47CRVUCIY4LQQ2LK",
      "sessionContext":
        {
          "sessionIssuer":
            {
              "type": "Role",
              "principalId": "YYYYYYYYYY",
              "arn": "arn:aws:iam::XXXXXXXX:role/AWSAccelerator-AccountsSt-AccessAnalyzerServiceLink-xfpSRjsIzuZZ",
              "accountId": "XXXXXXXX",
              "userName": "AWSAccelerator-AccountsSt-AccessAnalyzerServiceLink-xfpSRjsIzuZZ",
            },
          "webIdFederationData": {},
          "attributes":
            {
              "creationDate": "2024-11-04T04:36:25Z",
              "mfaAuthenticated": "false",
            },
        },
    },
  "eventTime": "2024-11-04T04:48:31Z",
  "eventSource": "lambda.amazonaws.com",
  "eventName": "GetFunction20150331v2",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "3.215.177.212",
  "userAgent": "aws-sdk-js/3.632.0 ua/2.0 os/linux#5.10.226-235.879.amzn2.x86_64 lang/js md/nodejs#20.17.0 api/lambda#3.632.0 exec-env/AWS_Lambda_nodejs20.x",
  "errorCode": "AccessDenied",
  "errorMessage": "User: arn:aws:sts::XXXXXXXX:assumed-role/AWSAccelerator-AccountsSt-AccessAnalyzerServiceLink-xfpSRjsIzuZZ/AWSAccelerator-AccountsSt-AccessAnalyzerServiceLin-fDSJRN0zo8BP is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:us-east-1:XXXXXXXX:function:AWSAccelerator-AccountsSt-AccessAnalyzerServiceLin-ZSjIdBDmOU2m because no identity-based policy allows the lambda:GetFunction action",
  "requestParameters": null,
  "responseElements": null,
  "requestID": "59ea3265-14d9-465c-9547-5d91808f8448",
  "eventID": "e4b6acf0-5d5a-453f-9b5e-32b91b6f31da",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "XXXXXXXX",
  "eventCategory": "Management",
  "tlsDetails":
    {
      "tlsVersion": "TLSv1.3",
      "cipherSuite": "TLS_AES_128_GCM_SHA256",
      "clientProvidedHostHeader": "lambda.us-east-1.amazonaws.com",
    },
}