chore: scope down default permissions

[huanjani]

This disallows the Task Role and Instance Role from assuming Copilot-tagged roles (like EnvManager Role), and scopes down permissions of the CFN Execution Role].

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

[github-actions]

🍕 Here are the new binary sizes!

Name	New size (kiB)	size (kiB)	Delta (%)
macOS (amd)	52208	51976	+0.45
macOS (arm)	53064	52812	+0.48
linux (amd)	45924	45716	+0.45
linux (arm)	45252	45060	+0.43
windows (amd)	43368	43168	+0.46

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.91%. Comparing base (c30e076) to head (0b99b00).
⚠️ Report is 212 commits behind head on mainline.

Additional details and impacted files

@@            Coverage Diff            @@
##           mainline    #5423   +/-   ##
=========================================
  Coverage     69.91%   69.91%           
=========================================
  Files           299      299           
  Lines         45484    45484           
  Branches        295      295           
=========================================
  Hits          31799    31799           
  Misses        12140    12140           
  Partials       1545     1545           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.