What I'd like:

Reduce scope of SSM commands be using prepared documents.
Currently we send arbitrary commands with shell command. We can reduce the permissions required by codifying the commands in the Cloudformation stack.

From what I can tell, however, the waiter (WaitUntilCommandExecuted) is where the max attempts cut off is actually happening.

Agreed. I am not targeting that, for situation where SSM command is stuck #53 & #54 . SSM command will keep on running for 3600 seconds before it timesout. However, our waiter only waits for X attempts to declare wait timeout, but SSM command can still keep on running. To address, this I was thinking of setting TimeoutSeconds parameter in SendCommandInput to something like 1800 seconds > waiter timeout.

Doc snippet from here:

   For example, the default value of Timeout (seconds) in the Systems Manager console is 600 seconds. If you run a 
   command by using the AWS-RunShellScript SSM document, the default value of "timeoutSeconds": 
  "{{ executionTimeout }}" is 3600 seconds

executionTimeout needs to be added to prepared SSM documents. This was discussed in the comments of #49