feat(s3-deployment): apply least privilege to destination bucket policies 2

[amandladev]

Introduction

This change improves security by scoping IAM policies to the specific
destination key prefix instead of granting access to all bucket objects.

Changes:

IAM policies now grant access to /<destinationKeyPrefix>/* instead of /*
When destinationKeyPrefix is specified (e.g., 'deploy/here/', 'efs/'),
the Lambda execution role only receives permissions for that specific prefix
Deployments without a prefix continue to work as before with /* access
Applies to both standard deployments and EFS-backed deployments

Security Benefits:

Follows the principle of least privilege
Multiple deployments to the same bucket are now isolated by prefix
Reduces blast radius if deployment Lambda credentials are compromised
Prevents accidental cross-deployment modifications

Affected Use Cases:
✅ Deployment with prefix: destinationKeyPrefix: 'deploy/here/'
✅ EFS-backed deployment: destinationKeyPrefix: 'efs/', useEfs: true
✅ Multiple deployments to same bucket with different prefixes
✅ Deployments without prefix (unchanged behavior)

Testing:

Updated integration tests for all deployment scenarios
Verified snapshots for standard, EFS, and prefixed deployments
All existing functionality preserved with improved security posture

Fixes #35610

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	96 ran	96 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	96 ran	96 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[aws-cdk-automation]

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.