Scope down promote_release IAM role S3 permissions

[dangardner]

Based on my limited understanding of the promote_release role, it only needs to read and delete objects from the artifacts bucket and doesn't need to write anything there. This change removes s3:PutObject and s3:PutObjectAcl permissions on the artifacts bucket from the promote_release role. I have tested with terraform validate (with some local mods to, e.g. bucket names) but I am not able to validate this any further. Any feedback would be welcome.