[ELI-422] Added S3 tagging operations to permissions boundary (#382)

* Added s3 tagging operations to permissions boundary

* Added s3 bucket and obj version operations to permissions boundary

Author: robbailiff2

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

@@ -15,14 +15,18 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
       "dynamodb:DeleteItem",
       "dynamodb:BatchWriteItem",
 
-      # S3 - bucket and object operations for Lambda and Firehose
+      # S3 - bucket and object operations for Lambda, Firehose and External Role
       "s3:GetObject",
       "s3:ListBucket",
       "s3:PutObject",
       "s3:PutObjectAcl",
       "s3:AbortMultipartUpload",
       "s3:GetBucketLocation",
       "s3:ListBucketMultipartUploads",
+      "s3:GetObjectTagging",
+      "s3:PutObjectTagging",
+      "s3:ListBucketVersions",
+      "s3:GetObjectVersion",
 
       # KMS - encryption/decryption for DynamoDB and S3
       "kms:Encrypt",