fix: block ssm:StartSession for ec2 and managed instances (#387)

Update the SCP so that ssm:StartSession is blocked for EC2 and SSM
managed instances.

Author: patheard

terragrunt/org_account/organization/scp_deny_ec2_connect.tf

@@ -11,8 +11,18 @@ data "aws_iam_policy_document" "scp_deny_ec2_connect" {
       "*"
     ]
   }
-}
 
+  statement {
+    effect = "Deny"
+    actions = [
+      "ssm:StartSession"
+    ]
+    resources = [
+      "arn:aws:ec2:*:*:instance/*",
+      "arn:aws:ssm:*:*:managed-instance/*"
+    ]
+  }
+}
 
 resource "aws_organizations_policy" "scp_deny_ec2_connect" {
   name        = "Deny EC2 Instance Connect"