Create resource policy specific checks

[0xdabbad00]

If the policy contains a Principal, we can assume it is a Resource policy. Also, #14 (where we allow the user to specify the type of policy) would inform this.

Once we know it is a resource policy, there are certain checks we can perform. For example, given this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish",
                "sns:DeleteTopic",
            ],
            "Resource": [
                "arn:aws:sns:us-east-1:000000000000:myTopic"
            ],
            "Principal": "*",
            "Condition": {
                  "ArnEquals": {
                    "aws:SourceArn": "arn:aws:s3:::mybucket"
                  }
            }
        }
    ]
}

Some things to check for:

1. If Principal is * without certain conditions, create finding.
2. If Condition restricts to an S3, but doesn't have a SourceAccount, create finding (see https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html#sns-allow-s3-bucket-to-publish-to-topic)
3. If condition restricts to an S3, and Resource is an SNS, then the Actions should only be sns:Publish

[rams3sh]

Awaiting for this feature :) !! Have a use case internally that would be solved by this. Putting the comment here to show support for this feature.

It would be also good if it could check for condition such as the one in the below policy which could still expose the bucket based on source IP.

{
  "Version": "2012-10-17",
  "Id": "VPCe and SourceIP",
  "Statement": [{
    "Sid": "VPCe and SourceIP",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::awsexamplebucket",
      "arn:aws:s3:::awsexamplebucket/*"
    ],
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": [
          "0.0.0.0/0"
        ]
      }
    }
  }]
}