Previously, we granted dagit and daemon AmazonECS_FullAccess. This
enabled them to do everything they needed - and then some.
This more narrowly scopes the policies attached to each.
dagit only needs to be able to describe tasks to check if a run can be
daemon needs to be able to describe a number of different things about a
task so that it can register new task definitions and trigger task runs.
Both include passrole permissions borrowed from AmazonECS_FullAccess.