feat(query): iam role without permission boundary

[balaakasam]

Closes #8019

Reason for Proposed Changes
AWS IAM permission boundaries are a critical enterprise security control that limit the maximum permissions an IAM role can have, even if broader policies are attached. Without a permission boundary, IAM roles can potentially be exploited to escalate privileges beyond intended scope.
Currently KICS does not check whether aws_iam_role resources have a permissions_boundary attribute set, which is a common misconfiguration in enterprise AWS environments.

Proposed Changes

• Added new query: IAM Role Without Permission Boundary
• Added metadata.json with query metadata, severity MEDIUM, category Identity and Access Management, CWE-269
• Added query.rego with detection logic using common_lib.valid_key to check for missing permissions_boundary attribute
• Added positive test case (positive1.tf) - role without permissions_boundary, should trigger
• Added negative test case (negative1.tf) - role with permissions_boundary defined, should not trigger
• Added positive_expected_result.json for test validation

I submit this contribution under the Apache-2.0 license.

[balaakasam]

Hello, just checking in on this PR. Happy to make any additional changes needed. The riskScore field has been added to the metadata as requested by the validation check. Please let me know if anything else is needed to move this forward.
Thank you!

[cx-artur-ribeiro]

Hi @balaakasam,
Thanks for the contribution!

There are a couple of issues with the query’s metadata fields: the risk score should be a float, represented as a string, with one decimal place, and the category must be one of the predefined values. Could you please update these according to the documentation? -https://docs.kics.io/latest/creating-queries/

Also, the negative and positive tests are currently identical, and neither defines a permissions_boundary property. I assume this wasn’t intentional. Could you add a proper positive test case, please?
For reference, here are some examples that might help: https://github.com/aws-samples/example-permissions-boundary;

Additionally, please note that this query may still be introduced as a BETA query initially, even after these issues are addressed. BETA queries are queries that are possible to use but need further review/investigation.

Once these are addressed, I’ll review the PR again and work on moving it forward.
Thanks!

[balaakasam]

Thank you so much for the detailed feedback. I have addressed all the three issues you have raised:

1. Category - updated to "Access Control" which is one of the predefined values
2. riskScore - updated to 3.0 as a float (Medium severity mapping per the documentation)
3. Test cases - fixed the negative test case to include the permissions_boundary attribute so that it correctly represents the secure configuration. The positive test case correctly has no permissions_boundary defined. Also updated the positive_expected_result.json to include the fileName field.

Please let me know if any further changes are needed. Happy to address any additional feedback quickly.

[balaakasam]

Hi, just following up on this PR. I've addressed the previous feedback, and the changes are ready for review. Happy to make any additional adjustments if needed. Thanks for your time!

[balaakasam]

Hi, just following up on this PR. Please let me know if any changes are needed. Thank you.

[cx-artur-ribeiro]

Hi @balaakasam,
Rather than the suggestion I give bellow, nothing to add.

This effort will still need to pass the QA process as normal, but I can't really give an estimate to when this will happen. If you apply the changes I've proposed, everything should work as expected.

Keep in mind that by adding "experimental":"true", you will need to use the flag experimental-queries on KICS scan to run this (and other) experimental queries. However, this is the normal process when adding new queries without Application Security review.

Once this review is in place, we will update the query name and remove the added field, running this query alongside all other reviews KICS' queries.

Thanks again for the awesome job and for helping us improve KICS 😄.

[balaakasam]

Hi @cx-artur-ribeiro, thank you for the review and the feedback. I've applied the suggested changes, added "experimental": "true" and updated the query name to "BETA - IAM Role Without Permission Boundary". Happy to wait for the QA process. Thanks again for all your guidance.