Use custom policy with restricted resource to replace managed policies

[kaiyan-sheng]

What does this PR do?

Elastic Serverless Forwarder Lambda Role uses the following AWS managed policies:

AWSLambdaSQSQueueExecutionRole AWSLambdaKinesisExecutionRole AWSLambdaBasicExecutionRole AWSLambdaVPCAccessExecutionRole

All the above roles have attached policies with wildcard Resource statements (i.e "Resource": "*"). In order to limit the resource here, I'm replacing these policies with custom policies.

Why is it important?

Security concern with IAM definition including too many wildcards. https://github.com/elastic/elastic-serverless-forwarder/issues/266

Checklist

• [ ] My code follows the style guidelines of this project
• [ ] I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• [ ] I have added tests that prove my fix is effective or that my feature works
• [ ] I have added an entry in CHANGELOG.md

[constanca-m]

I had a look again to try to understand where these policies come from, and I believe it depends on the way we are deploying ESF.

So if we use the terraform files (private repo), we do not use managed policies like AWSLambdaSQSQueueExecutionRole, but instead grant the right permissions to the right resources. Exception is the use of policy AWSLambdaBasicExecutionRole. This would have to be changed as well.

For the publish script, you are already covering the cases in the changed file.

I don't think we are using managed policies anywhere else, but it is best to double check.