audit and drop security group rules (bosh <-> tooling)

Our security group rules are too permissive in some places. We should audit what we think is used, what flow logs indicate is used, and what we actually allow, and remove unnecessary allows.

Scope this to rules between the bosh vpc and tooling vpc.