Update Subscription Lambda has insufficient privledges

[richardkeit]

Describe the bug Custom resource responsible for configuring centralised logging (kinda important function) silently fails with access denied on KMS encryption

To Reproduce global-config.yaml:

logging:
  cloudwatchLogs:
    enable: true
    encryption:
      useCMK: true
      deploymentTargets:
        organizationalUnits:
          - Root

Expected behavior No errors and log groups have encryption enabled

Please complete the following information about the solution:

• [x] Version: 1.10.0
• [x] Region: `ap-southeast-2
• [ ] Was the solution modified from the version published on this repository?
• [ ] If the answer to the previous question was yes, are the changes available on GitHub?
• [x] Have you checked your service quotas for the services this solution uses?
• [x] Were there any errors in the CloudWatch Logs?: No, which raises a question - "should it be?"

Screenshots

Additional context PR raised for fix, please give it some love 💚 :

• https://github.com/awslabs/landing-zone-accelerator-on-aws/pull/645

PS: This feature doesn't respect the encryption value, ie it ALWAYS attempts to encrypt (from what I can see)