Disallow using instance profile to grant permissions to tasks

[itsdalmo]

We should add a flag to disallow tasks from using the instance profiles permissions, and require that a task role is used instead: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

Assuming that most tasks are started in the bridge network mode, we can run this as part of the cloud-init for the cluster:

sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP
sudo service iptables save