[BUG] Inspector SRA Lambda Fails Due to Missing Service-Linked Role Permissions in Cross-Account Configuration #308
Description
Describe the bug
The SRA Inspector Lambda function fails to enable Inspector in delegated administrator and member accounts due to insufficient IAM permissions for service-linked role creation. The Lambda successfully completes the AWS Organizations setup (enabling service access and registering the delegated administrator) but fails during the regional Inspector configuration phase when attempting to enable Inspector in cross-account scenarios.
Primary Error:
AccessDeniedException: An error occurred (AccessDeniedException) when calling the Enable operation: Invoking account is not authorized to perform iam:CreateServiceLinkedRole
Root Cause Analysis:
The Lambda execution role in the management account has the necessary iam:CreateServiceLinkedRole permissions for Inspector service-linked roles. However, when the Lambda assumes the sra-inspector-configuration role in delegated administrator and member accounts to enable Inspector, these assumed roles lack the required permissions to create the service-linked roles
Secondary Issue:
In our production environment where Inspector delegated admin for audit account with auto-enablement is already active, the Lambda encounters conflicts when attempting to enable Inspector in new accounts.
To Reproduce
Steps to reproduce the behavior:
Deploy Inspector via SRA in a multi-account organization and monitor the lambda/logs
Expected behavior
I expect the lambda to deploy Inspector successfully.
Screenshots
If applicable, add screenshots to help explain your problem.
Deployment Environment (please complete the following information)
CFCT + SRA
Deployment Framework Version [e.g. 1.0, 2.0]: pSRASolutionVersion v1.0
Additional context
Add any other context about the problem here.