Add a configuration option to disable the AWS metadata service for created VMs

Problem

AWS provides a metadata service by default, which can be used to gather information about the machine and its settings. If an IAM profile is also configured, it can be used to retrieve it, presenting a security concern. Once retrieved, you can begin to issue commands for any permission allowed by that instance profile.

This endpoint is avialable to any job that runs on any runner in AWS which has an IAM instance profile attached. There is no other security "walls" to get over, and it works regardless of privilege mode.

Potential solution

To help address this, we can consider disabling the metadata service for Docker+Machine spawned jobs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html#configure-IMDS-new-instances--turn-off-instance-metadata. This can be done by passing --metadata-options "HttpEndpoint=disabled" to the job.

The issue is that Docker+Machine doesn't support passing this flag today, which we should add. Adding support for a different flag was not significantly difficult: !49 (merged)