feat(rule): improve wildcard checking in policies

[nikpivkin]

This PR improves wildcard checking in the following rules: AVD-AWS-0057, AVD-AWS-0114 and AVD-AWS-0120.

1. Action values have been corrected. Sometimes Trivy gave a false positive result because some actions contained an extra suffix [permissions only].

2. The correct resource is displayed in the result header

The header always displays the first resource:

data "aws_iam_policy_document" "test" {
  statement {
    actions = [
      "sts:AssumeRole",
    ]
    resources = [
      "arn:aws:iam::123456789012:role/S3Access",
      "*",
    ]
  }
}

resource "aws_iam_policy" "test" {
  name   = "test"
  policy = data.aws_iam_policy_document.test.json
}

Trivy's output is now:

HIGH: IAM policy document uses sensitive action 'sts:AssumeRole' on wildcarded resource 'arn:aws:iam::123456789012:role/S3Access'

3. The report includes all actions that do not support resource-level permissions.

For example, two actions (logs:AssociateKmsKey and logs:CreateExportTask) cause the rule to be violated in the next configuration:

data "aws_iam_policy_document" "test" {
  statement {
    actions = [
      "logs:AssociateKmsKey",
      "logs:CreateExportTask",
      "logs:ListLogDeliveries",
      "logs:CreateLogDelivery",
      "logs:GetLogDelivery",
      "logs:UpdateLogDelivery",
      "logs:DeleteLogDelivery",
    ]
    resources = [
      "*",
    ]
  }
}

resource "aws_iam_policy" "test" {
  name   = "test"
  policy = data.aws_iam_policy_document.test.json
}

But only the first one is reported to the user:

IAM policy document uses sensitive action 'logs:AssociateKmsKey' on wildcarded resource '*'

Fixes aquasecurity/trivy#5040

Related PRs

• feat: generate allowed actions defsec#1488

[nikpivkin]

Closing in favor of #61