shield: validate_resource_arn resource accepts EC2 ARNs, instead of just Elastic IP ARNs

[jflim]

Currently, the implementation for the mocked create_protection for Shield relies on validate_resource_arn to filter only valid resource ARNs to protect.

According to the Shield documentation

You can use Shield Advanced for advanced monitoring and protection with the following resource types:

* Amazon EC2 Elastic IP addresses. Shield Advanced protects the resources that are associated with protected Elastic IP addresses.
...
* Amazon EC2 instances, through association to Amazon EC2 Elastic IP addresses.
...
* Network Load Balancers, through associations to Amazon EC2 Elastic IP addresses.

This seems to imply that users should not be able to protect EC2 instances directly, so validate_resource_arn can be adjusted to be more narrow on elastic IP addresses instead of just EC2.

From: arn:${Partition}:ec2:...

To: arn:${Partition}:ec2:${Region}:${Account}:elastic-ip/${AllocationId}

References: https://docs.aws.amazon.com/waf/latest/developerguide/ddos-protections-by-resource-type.html https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-elastic-ip