Add SSM to API instances and grant support access

[ncc-erik-steringer]

In this demo, we put SSM on our API instances and give the support role access to SSM actions. This should result in a PMapper test failing since we're not supposed to give support roles access to other roles.

[github-actions]

PMapper Test Results:

test_no_privesc (test_permissions.TestAuthorizationBoundaries)
Ensure that nobody can escalate their privileges from non-admin to to admin. ... ok
test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of the S3 buckets. ... FAIL
test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other users or roles in the account. ... FAIL

======================================================================
FAIL: test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of the S3 buckets.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_permissions.py", line 82, in test_support_cannot_put
    self.fail('Support was allowed to upload files to S3:\n\n{}'.format(
AssertionError: Support was allowed to upload files to S3:

* role/support-staff is allowed to call s3:PutObject for arn:aws:s3:::tktk-service-api-logs/test_object

======================================================================
FAIL: test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other users or roles in the account.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_permissions.py", line 95, in test_support_has_no_edges
    self.fail('The support staff role had access to other users or roles in the account:\n\n{}'.format(
AssertionError: The support staff role had access to other users or roles in the account:

role/support-staff can call ssm:SendCommand to access an EC2 instance with access to role/APIEC2BackendHostRole
role/support-staff can call ssm:StartSession to access an EC2 instance with access to role/APIEC2BackendHostRole

----------------------------------------------------------------------
Ran 3 tests in 0.129s

FAILED (failures=2)

[github-actions]

Scout Suite Test Results:

test_ec2_no_ports_open_to_all (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify that none of the security groups have a port open to 0.0.0.0/0 ... ok
test_iam_no_inline_notaction (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify no inline IAM Policies (for Users/Roles/Groups) use the NotAction field ... ok
test_iam_no_inline_passrole (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify there are no inline policies granting iam:PassRole for * ... ok

----------------------------------------------------------------------
Ran 3 tests in 0.009s

OK