feat(query): iam role without permission boundary

[balaakasam]

Closes #8019

Reason for Proposed Changes
AWS IAM permission boundaries are a critical enterprise security control that limit the maximum permissions an IAM role can have, even if broader policies are attached. Without a permission boundary, IAM roles can potentially be exploited to escalate privileges beyond intended scope.
Currently KICS does not check whether aws_iam_role resources have a permissions_boundary attribute set, which is a common misconfiguration in enterprise AWS environments.

Proposed Changes

• Added new query: IAM Role Without Permission Boundary
• Added metadata.json with query metadata, severity MEDIUM, category Identity and Access Management, CWE-269
• Added query.rego with detection logic using common_lib.valid_key to check for missing permissions_boundary attribute
• Added positive test case (positive1.tf) - role without permissions_boundary, should trigger
• Added negative test case (negative1.tf) - role with permissions_boundary defined, should not trigger
• Added positive_expected_result.json for test validation

I submit this contribution under the Apache-2.0 license.

[balaakasam]

Hello, just checking in on this PR. Happy to make any additional changes needed. The riskScore field has been added to the metadata as requested by the validation check. Please let me know if anything else is needed to move this forward.
Thank you!

[cx-artur-ribeiro]

Hi @balaakasam,
Thanks for the contribution!

There are a couple of issues with the query’s metadata fields: the risk score should be a float with one decimal place, and the category must be one of the predefined values. Could you please update these according to the documentation? -https://docs.kics.io/latest/creating-queries/

Also, the negative and positive tests are currently identical, and neither defines a permissions_boundary property. was defined in either. I assume this wasn’t intentional. Could you add a proper positive test case, please?
For reference, here are some examples that might help: https://github.com/aws-samples/example-permissions-boundary;

Additionally, please note that this query may still be introduced as a BETA query initially, even after these issues are addressed. BETA queries are queries that are possible to use but need further review/investigation.

Once these are addressed, I’ll review the PR again and work on moving it forward.
Thanks!