chore: fix TfSec issues

[kayman-mk]

trafficstars

Description

This PR fixes all mentioned TfSec issues reported by the pipeline.

• encrypt all resources either with the provided/generated customer managed key or the default AWS key
• use a ARN in policies instead of *
• remove unnecessary policies
• allow activation of X-Ray tracing via variable

Migrations required

No

Verification

• [ ] deploy/destroy runner-default
• [ ] termination lambda can write logs
• [ ] runners can still access the cache
• [ ] access logs are written if the feature is enabled
• [ ] update Hapag-Lloyd runners to this version and ensure everything is running