Overly permissive roles for AFT

[balualways]

The IAM Roles created as part of AFT Bootstrap process of the workshop - AWSAFTService and AWSAFTExecution have trust policies which allow the role to be assumed by principals outside of aws organization.

This may result in security incidents in most organizations

[wellsiau-aws]

@balualways - thanks for reporting this issue. This repo is only for sample instruction and code as part of the workshop. I think your issue is best to be reported to the main AFT repo: https://github.com/aws-ia/terraform-aws-control_tower_account_factory