A DevOps engineer manages a CloudFormation StackSet in service-managed permission mode, deployed from the organization's management account to an OU containing 40 member accounts. The StackSet provisions a standardized IAM role and an S3 bucket with a specific KMS-encrypted policy in each account. After a recent security initiative, the security team attached a new Service Control Policy (SCP) to the OU that denies all s3:PutEncryptionConfiguration and kms:CreateGrant actions unless a specific tag condition is met. The next StackSet operation fails in every target account during resource creation. The engineer needs the standardized resources to deploy successfully across all 40 accounts while keeping the SCP guardrail intact. What is the MOST appropriate action?