1. Proposed title of this feature request
Limit Scope of AWS IAM Permissions Generated by Cloud-Credential-Operator.

2. What is the nature and description of the request?
Please review the current IAM permissions provided by the CCO to meet the minimal requirements for running OpenShift.

For example, the IAM user for the `aws-ebs-csi-driver-operator` has the following permissions provided:

~~~
{
"Version": "2012-10-17",
"Statement": [

{ "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DetachVolume", "ec2:ModifyVolume" ], "Resource": "*" }

,

{ "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": "arn:aws:iam::326747146819:user/yuzu-x428b-aws-ebs-csi-driver-operator-cbnjk" }

]
}
~~~

The request is, where possible, to add the "aws:SourceVpc" permission limitations that force credentials to be used just from inside the VPC.

3. Why does the customer need this? (List the business requirements here)
Security concerns about the scope of permissions provided by the CCO

4. List any affected packages or components.
CloudCredentialOperator