feat(rego): add query to check iam policy to invoke lambda

[jplanckeel]

Proposed Changes
Since June 2022 IAM policy to invoke lambda need to defined two ressources :

• One with only the name of the lambda function
• a second one with the name of the function and a * for the version

I propose to create a good practice rule to indicate this

1. Starting at the IAM Console, go to Policies.
2. Look for policies including user managed policies, roles, users and user groups with inline policies that match Resource field as function ARN. For example, If the function ARN is arn:aws:lambda:aws-region:acct-id:function:my-function, find policies where Resource field contains "function:my-function".
3. For the matching policies, select the "Edit Policy" button and select JSON.
   3.1. To allow access to function (unqualified ARN) and its sub-resources, add another statement with ":" to function name by changing the Resource field to "Resource": ["arn:aws:lambda:aws-region:acct-id:function:my-function", "arn:aws:lambda:aws-region:acct-id:function:my-function:"]
   3.2. To allow access to function (unqualified ARN) only, use Resource as "Resource": ["arn:aws:lambda:aws-region:acct-id:myFunction"] .
4. Select Review Policy and Save.

I submit this contribution under the Apache-2.0 license.

[rafaela-soares]

Hello, @jplanckeel!

Thank you so much for contributing to KICS 🚀

Please, see the suggestions:

[rafaela-soares]

Hello, @jplanckeel!

We need to update the positive_expected_result.json:

[rafaela-soares]

LGTM 🚀

I will wait only for our security team to approve the severity and category.

[nunolope5]

After reviewing the proposed new rule and associated Severity, Category, and Description my only comment is regarding the query name, it should be "Lambda IAM InvokeFunction Misconfigured".

[rafaela-soares]

LGTM 🚀

Thank you so much for contributing, @jplanckeel!