feat(ec2): restrict access to default security group (under feature flag) (aws#25297)

This PR implements functionality which will remove the default ingress/egress rules from the VPC default security group. When a VPC is created, the default security group is created as well with default ingress/egress rules which allow _all_ traffic. It is not possible to delete the default security group, but you should never use it. As a result there are a log of security standards that recommend removing the default rules so that the security group denies all traffic by default. See [this rule](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2).

Since the default security group cannot be managed through a CloudFormation resource, this PR introduces a new Custom Resource which will remove the ingress/egress rules.

I also think that this should be the default behavior so I have introduced a new feature flag to make this the default for new apps. As a result I had to update _a lot_ of integration tests. Since This feature flag would only be introduced on new VPCs it didn't make sense to run the update workflow on all these integration tests so I updated them to disable this new feature.

I added one new integration test to test this functionality.

fixes aws#19394

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: corymhall

lerna.json

@@ -3,7 +3,6 @@
   "useWorkspaces": true,
   "packages": [
     "packages/aws-cdk-lib",
-    "packages/cdk-cli-wrapper",
     "packages/cdk-assets",
     "packages/aws-cdk",
     "packages/cdk",

package.json

@@ -69,7 +69,6 @@
   "workspaces": {
     "packages": [
       "packages/aws-cdk-lib",
-      "packages/cdk-cli-wrapper",
       "packages/aws-cdk",
       "packages/cdk",
       "packages/cdk-assets",