Audit command attributes a known bad policy to the wrong role instead of a user or group

[clholm]

When I run python3 cloudmapper.py audit --accounts {{account}} and {{account}} has a user and/or group with a "known bad policy" (as defined by the KNOWN_BAD_POLICIES dictionary in shared/iam_audit.py), the Cloudmapper output indicates that those known bad policies are owned by a (wrong) role instead of a user or group. For example, if I add user data to the demo account data for a user called USER_WITH_BAD_INLINE_POLICY with the arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM policy attached, the output of python3 cloudmapper.py audit --accounts demo shows HIGH - demo (us-east-1) - Known bad policy used: arn:aws:iam::123456789012:role/level3. This level3 role doesn't have a known bad policy attached. From the testing I've done, it looks like shared/iam_audit.py is creating a finding using the role variable that is used while iterating over the roles in an account, instead of creating a finding with the user or group variables that are used for iterating over those respective objects. This bug would go unnoticed as long as known bad policies were only attached to roles.

(running in a virtualenv)