feat(CKV_AWS_341): ensure IAM role max session duration does not exceed 1 hour

[Sage-Canty]

Closes #7521

What

Adds a new Terraform check CKV_AWS_341 for aws_iam_role resources.

Check: Ensure IAM role max session duration does not exceed 1 hour (3600 seconds)

AWS allows max_session_duration up to 43200 seconds (12 hours). Roles with elevated session durations extend the blast radius of a compromised credential. CIS AWS Foundations Benchmark recommends keeping this at or below 3600 seconds.

Logic

• PASS: max_session_duration not set (defaults to 3600) or <= 3600
• FAIL: max_session_duration > 3600
• UNKNOWN: value is a variable reference, cannot evaluate at scan time

Files changed

• checkov/terraform/checks/resource/aws/IAMRoleMaxSessionDuration.py — check implementation
• tests/terraform/checks/resource/aws/test_IAMRoleMaxSessionDuration.py — 6 unit tests, all passing

Tests

6 passed, 1 warning in 3.62s

[Sage-Canty]

Hi team—rebased on the latest main, all 6 tests are passing. Would appreciate a review when you have a chance. Happy to adjust based on any feedback.

[Sage-Canty]

Hi @gruebel — sorry to ping directly; I know the queue is long. CKV_AWS_341 (IAM role max_session_duration <= 3600s) was rebased on the latest main, and all 6 tests are passing locally. It's currently blocked on workflow approval before CI can run. Would really appreciate an approve-and-run plus a review whenever you have bandwidth. Happy to adjust anything. Thanks!