fix: replace AmazonEC2RoleforSSM with AmazonSSMManagedInstanceCore managed policy

[lyoung-confluent]

The AmazonEC2RoleforSSM managed policy is overly broad, it includes arbitrary read/write to any S3 bucket in the same AWS account:

  {
      "Effect" : "Allow",
      "Action" : [
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetEncryptionConfiguration",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads"
      ],
      "Resource" : "*"
  }

Additionally, this policy is deprecated by AWS:

This policy will soon be deprecated. Please use AmazonSSMManagedInstanceCore policy to enable AWS Systems Manager service core functionality on EC2 instances. For more information see https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html

This PR swaps to the recommended policy which is correctly scoped: AmazonSSMManagedInstanceCore

[lucaspin]

/sem-approve

[lucaspin]

@lyoung-confluent getting this error during CI:

agent-aws-stack-linux | 12:28:48 PM | CREATE_FAILED        | AWS::IAM::Role                      | AwsSemaphoreAgentStack/instanceProfileRole (instanceProfileRole47059124) Resource handler returned message: "Policy arn:aws:iam::aws:policy/service-role/AmazonSSMManagedInstanceCore does not exist or is not attachable. (Service: Iam, Status Code: 404, Request ID: 7b2dfe45-bfb3-4cc4-8e1a-436bb03b925a) (SDK Attempt Count: 1)" (RequestToken: 35971a41-4d91-ae90-c6c9-35965bb10124, HandlerErrorCode: NotFound)

[lyoung-confluent]

@lucaspin Looks like the ARN changed format a tiny bit too per the docs, fixed (I think)

[lucaspin]

/sem-approve

[lucaspin]

Everything's ✅ now. Thanks @lyoung-confluent!