When using serverless-step-functions to run ECS tasks with tags, the auto-generated IAM policies are missing the ecs:TagResource permission, causing
the execution to fail with an AccessDeniedException.

Steps to Reproduce:

1. Configure a Step Functions state machine with an ECS task that includes tags
2. Deploy using serverless-step-functions
3. Execute the state machine
4. The execution fails with the following error:

arn:aws:sts::xxxxxxxxxxxx:assumed-role/service-name-AutomationsCoreProcessor-1IMJM3BVQIC19/BItoDlWozsClkJYiaNnkTWqvqBfygBMa
is not authorized to perform: ecs:TagResource on resource: arn:aws:ecs:us-east-1:521944920347:task/task-name*
because no identity-based policy allows the ecs:TagResource action
(Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException;
Request ID: 42ebb4cb-054e-4389-bc88-80cd71592322; Proxy: null)

Expected Behavior:

The plugin should automatically include the ecs:TagResource permission in the generated IAM policies when ECS tasks are configured with tags.

Actual Behavior:

The ecs:TagResource permission is not included in the auto-generated IAM policies, causing the Step Functions execution to fail when trying to tag ECS
tasks.

Environment:

• serverless-step-functions version: 3.23.0
• Serverless Framework version: 4.15.1
• AWS region: us-east-1

Proposed Solution:

Add the ecs:TagResource permission to the auto-generated IAM policies when ECS tasks include tags. The permission should be scoped to the appropriate
ECS task resources.

Example of the missing permission that should be added:
{
"Effect": "Allow",
"Action": "ecs:TagResource",
"Resource": "arn:aws:ecs:::task/*"
}

Additional Context:

This issue occurs after when tags were added to the ECS task configuration. The Step Functions execution role needs the ecs:TagResource permission to apply tags to ECS tasks during execution.