fix(ecs): reduce ecs service task role cloudwatch permissions when no log configured (under feature flag) (#31475)

### Issue # (if applicable)

Closes #31397

### Reason for this change

If a FargateService or EC2 Service has `enableExecuteCommand: true` and the ECS cluster it runs on has `executeCommandConfiguration.logging` set to anything but `ecs.ExecuteCommandLogging.NONE` then the CDK automatically grants the underlying TaskDefinition overly broad cloudwatch logs permissions regardless of need even if the logging configuration has no cloudwatch logs config set.

This is not right behaviour as these permissions are not needed. 

### Description of changes

Add feature flag and if feature flag is on and cloudwatch log is configured, reduce the permissions. 

### Description of how you validated changes

New unit tests, integration tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: GavinZZ

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service-idle-timeout.ts

@@ -11,6 +11,7 @@ import { AUTOSCALING_GENERATE_LAUNCH_TEMPLATE } from 'aws-cdk-lib/cx-api';
 const app = new App({
   postCliContext: {
     '@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm': false,
+    '@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions': false,
   },
 });
 const stack = new Stack(app, 'aws-ecs-integ-alb-idle-timeout');

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service.ts

@@ -3,9 +3,14 @@ import { Cluster, ContainerImage } from 'aws-cdk-lib/aws-ecs';
 import { App, Stack } from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import { ApplicationMultipleTargetGroupsEc2Service } from 'aws-cdk-lib/aws-ecs-patterns';
-import { AUTOSCALING_GENERATE_LAUNCH_TEMPLATE } from 'aws-cdk-lib/cx-api';
+import { AUTOSCALING_GENERATE_LAUNCH_TEMPLATE, REDUCE_EC2_FARGATE_CLOUDWATCH_PERMISSIONS } from 'aws-cdk-lib/cx-api';
 
-const app = new App({ postCliContext: { [AUTOSCALING_GENERATE_LAUNCH_TEMPLATE]: false } });
+const app = new App({
+  postCliContext: {
+    [AUTOSCALING_GENERATE_LAUNCH_TEMPLATE]: false,
+    [REDUCE_EC2_FARGATE_CLOUDWATCH_PERMISSIONS]: false,
+  },
+});
 const stack = new Stack(app, 'aws-ecs-integ-multiple-alb');
 const vpc = new Vpc(stack, 'Vpc', { maxAzs: 2, restrictDefaultSecurityGroup: false });
 const cluster = new Cluster(stack, 'Cluster', { vpc });

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.alb-fargate-service-https.ts

@@ -6,7 +6,11 @@ import { App, Stack } from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import { ApplicationLoadBalancedFargateService } from 'aws-cdk-lib/aws-ecs-patterns';
 
-const app = new App();
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions': false,
+  },
+});
 const stack = new Stack(app, 'aws-ecs-integ-alb-fg-https');
 const vpc = new Vpc(stack, 'Vpc', { maxAzs: 2, restrictDefaultSecurityGroup: false });
 const cluster = new Cluster(stack, 'Cluster', { vpc });