IAM policy AWSAccelerator-SessionManagerUserKMS not created consistently across accounts

[rprice000]

Describe the bug
The IAM policy AWSAccelerator-SessionManagerUserKMS-us-gov-west-1 is being created inconsistently across accounts. This policy grants EC2 instances the necessary KMS permissions (kms:Decrypt and kms:GenerateDataKey) to use Session Manager with KMS encryption.

The KMS key itself is created successfully in all accounts, but the IAM policy that allows EC2 instance roles to use this key is missing in some accounts, preventing Session Manager from functioning properly on EC2 instances in those accounts.

Policy content:
{
"Version": "2012-10-17",
"Statement": [{
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "arn:aws-us-gov:kms:us-gov-west-1::key/",
"Effect": "Allow"
}]
}

This policy is intended to be attached to EC2 instance roles to enable Session Manager connectivity with KMS encryption.

To Reproduce

1. Deploy LZA using the configuration repository
2. Check IAM policies across multiple accounts

• appsys02-dev (policy exists)
• appsys03-dev (policy exists)
• appsys04-dev (policy missing)
• sandbox01 (policy missing)

3. Verify KMS key exists in all accounts (it does)
   Observe that AWSAccelerator-SessionManagerUserKMS-us-gov-west-1 exists in some accounts but not others
   All accounts share the same global-config.yaml, iam-config.yaml, organization-config.yaml, and security-config.yaml. Only accounts-config.yaml and network-config.yaml have account-specific differences (IP ranges and naming conventions).

Expected behavior
The IAM policy AWSAccelerator-SessionManagerUserKMS-us-gov-west-1 should be created consistently across all accounts where Session Manager with KMS encryption is configured.

Version: 1.14.2

• Region: us-gov-west-1
• Was the solution modified from the version published on this repository? Unknown - initial setup was performed by AWS ProServe
• If the answer to the previous question was yes, are the changes available on GitHub? N/A
• Have you checked your [service quotas]: Yes there appears to be no service quota issues. We have a relatively new LZA Control tower setup with few accounts and small amount of actual resources
• Were there any errors in the CloudWatch Logs? No obvious errors found related to IAM policy creation

Additional context

• This is an AWS GovCloud (us-gov-west-1) deployment

• The KMS key for Session Manager is created successfully in ALL accounts

• The IAM policy to grant EC2 instances access to this KMS key is only created in SOME accounts (appsys02-dev, appsys03-dev) but missing in others (appsys04-dev, sandbox01)

• Without this policy, EC2 instances in affected accounts cannot use Session Manager with KMS encryption

• Initial LZA setup was performed by AWS ProServe

• This appears to be a policy provisioning issue rather than a KMS key creation issue

• Looking for guidance on:

  1. What configuration drives the creation of this specific IAM policy?
  2. Are there any account-level conditions that would cause this policy to be skipped?