Batch IAM role best practices

[jkeifer]

After some questions and testing, I have established the following best practices around batch IAM roles:

• The service role is not required on compute environments. A default service role is created automatically when creating the first compute environment that has that role unspecified.
• The compute environment instance role should not have any additional permissions added to it beyond those required for ECS. Strangely, it is required, and because it is passed to EC2 instances it actually requires an associated profile. We create all that in the cirrus-geo built-ins.
• Custom permissions required by a batch job should be specified on a role specific to that batch job, and provided as the job definition job role.

The purpose of a batch job execution role is still unclear to me, and I see no reason to use it (save for with fargate tasks where it is required, but I haven't used those so I don't know what all it needs permissions-wise). Unless, of course, someone can provide an explanation what problems it can solve better than the other roles.

As a result, here are three clear action items for cirrus:

• All the custom perms we've been stuffing into the instance role should move to a batch job role (specified on the batch job via JobRoleArn in the ContainerProperties). We can create a builtin role name BatchJobRole with the base set of permissions, but encourage users to create on role per task with the unique set of permission per task specified there.
• We should remove the BatchServiceRole and all references to it.
• The BatchInstanceRole should be updated to have the ECS permission set and nothing more.