[BUG] GuardDuty cannot be enabled for opt-in regions like ap-southeast-4

[julian-price]

Describe the bug

Opt-in regions such as ap-southeast-4 cannot have GuardDuty deployed because they have different S3 and KMS endpoints. Attempting to deploy the SRA GuardDuty solution through the CfCT with an opt-in region enabled results in a timeout on the rollout of the StackSet, but no information is given on why it has failed.

To Reproduce

Steps to reproduce the behavior:

1. Enable an opt-in region (e.g. ap-southeast-4)
2. Deploy the SRA GuardDuty solution via CfCT. The guardduty Python Lambda will attempt to create detectors in each enabled region in the Control Tower.
3. After the MAX_RUN_COUNT (5 minutes) has been exceeded, the Lambda will fail with an error saying "GuardDuty Detectors did not get created in the allowed time. Check the Org Management delegated admin setup."

Expected behavior

The guardduty Lambda will create detectors in all enabled regions, whether opt-in or not. If errors do occur, then clear concise log messages will be produced to indicate why the failure occurred.

Deployment Environment (please complete the following information)

• Deployment Framework: Customizations for Control Tower and CloudFormation StackSets
• Deployment Framework Version [e.g. 1.0, 2.0]: sra-guardduty-org-main-ssm version 1.1

Additional context

Once additional logging was added to log ClientErrors in the region_detectors function in the Lambda, it became apparent that specific endpoints were needed for GuardDuty in the rGuardDutyDeliveryS3BucketPolicy and rGuardDutyDeliveryKey policy statements. Adding guardduty.ap-southeast-4.amazonaws.com in addition to guardduty.amazonaws.com allowed the guardduty Lambda to complete successfully and create detectors in each enabled region.