fix(bootstrap): remove Security Hub finding S3.10 (#24175)

**NOTE**: This PR bumps the version of the bootstrap stack to `16`, but there is no need to update your bootstrap stacks, unless it is to get rid of the Security Hub finding; this change has no effect on the functionality of any CDK app deployed to the environment.

[Security Hub Finding S3.10](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-10) says:

> S3 buckets with versioning enabled should have lifecycle policies configured

Presumably so you're not unknowingly accumulating a bigger and bigger S3 bucket as you are overwriting existing files.

CDK will never do that, as files are content-addressed and immutable, but Security Hub can't know that and so it complains.

Add a lifecycle rule to the S3 bucket to get rid of the finding. Expiration time of non-current files is set to 1 year. This should give enough opportunity to diagnose potential issues and audit the any funkiness in the bucket if the assumption that files are never overwritten should ever be violated.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -199,6 +199,13 @@ Resources:
           - Ref: AWS::NoValue
       VersioningConfiguration:
         Status: Enabled
+      LifecycleConfiguration:
+        Rules:
+          # Exising objects will never be overwritten but Security Hub wants this rule to exist
+          - Id: CleanupOldVersions
+            Status: Enabled
+            NoncurrentVersionExpiration:
+              NoncurrentDays: 365
     UpdateReplacePolicy: Retain
     DeletionPolicy: Retain
   StagingBucketPolicy: