enables opt-in region for guardduty logging

src/deployments/cdk/src/deployments/guardduty/guardduty.ts

@@ -182,19 +182,42 @@ export async function step3(props: GuardDutyStep3Props) {
 export async function enableGuardDutyPolicy(props: GuardDutyStep3Props) {
   const { logBucket } = props;
 
+  const servicePrincipals = [new iam.ServicePrincipal('guardduty.amazonaws.com')];
+  const optinRegions = [
+    'af-south-1',
+    'ap-east-1',
+    'ap-south-2',
+    'ap-southeast-3',
+    'ap-southeast-4',
+    'ca-west-1',
+    'eu-central-2',
+    'eu-south-1',
+    'eu-south-2',
+    'il-central-1',
+    'me-central-1',
+    'me-south-1',
+  ];
+
+  optinRegions.map(optinRegion => {
+    if (props.config['global-options']['supported-regions'].includes(optinRegion)) {
+      // Ideally want to query aws account list-regions --region-opt-status-contains ENABLED, and intersect with what is configured
+      servicePrincipals.push(new iam.ServicePrincipal(`guardduty.${optinRegion}.amazonaws.com`));
+    }
+  });
+
   // Grant GuardDuty permission to logBucket: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html
   logBucket.addToResourcePolicy(
     new iam.PolicyStatement({
       actions: ['s3:GetBucketLocation', 's3:PutObject'],
-      principals: [new iam.ServicePrincipal('guardduty.amazonaws.com')],
+      principals: servicePrincipals,
       resources: [logBucket.bucketArn, logBucket.arnForObjects('*')],
     }),
   );
 
   logBucket.encryptionKey?.addToResourcePolicy(
     new iam.PolicyStatement({
       sid: 'Allow Guardduty to use the key',
-      principals: [new iam.ServicePrincipal('guardduty.amazonaws.com')],
+      principals: servicePrincipals,
       actions: ['kms:GenerateDataKey', 'kms:Encrypt'],
       resources: ['*'],
     }),