Change topic policy, add additional IAM activity checks

[wvanheerde]

This PR introduces some changes that fix various checks implemented by the CIS AWS Foundations Benchmark security standard we have enabled by default in security hub. It:

• Allow cross-account access to list all subscribers to the IAM Activity SNS topic by the security hub role on member accounts. This allows the automated check to see whether the solution is complete and is required to pass the test.
• Enables additional metric filters and alarms that address checks for the mentioned standard. Should fix CIS 1.1 and CIS 3.1 - CIS 3.14 for all core accounts. CIS 3.2 (sign-in without MFA) is excluded as it doesn't fit our current solution.

All of these are only deployed if the CIS AWS Foundations Benchmark security standard is enabled. Changes have been tested locally.

[github-actions]

terraform fmt Failed

./locals.tf

     ]
   ])
   iam_activity = {
-    SSO  = "{$.readOnly IS FALSE && $.userIdentity.sessionContext.sessionIssuer.userName = \"AWSReservedSSO_*\" && $.eventName != \"ConsoleLogin\"}"
+    SSO = "{$.readOnly IS FALSE && $.userIdentity.sessionContext.sessionIssuer.userName = \"AWSReservedSSO_*\" && $.eventName != \"ConsoleLogin\"}"
   }
   cloudtrail_activity_cis_aws_foundations = (local.security_hub_has_cis_aws_foundations_enabled && var.security_hub_create_cis_metric_filters) ? {
     RootActivity                 = "{$.userIdentity.type=\"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\"}"

Workflow: Terraform, Action: __hashicorp_terraform-github-actions, Working Directory: ., Workspace: default