ADA-CP 2.2.1: Ensure a support role has been created to manage incidents with AWS Support

[rdegraaf]

Is your feature request related to a problem? Please describe.

The App Defense Alliance Cloud Profile requires a check that an incident-management Role has been registered with AWS Support.

Describe the solution you'd like

Implement the check documented at https://github.com/appdefensealliance/ASA-WG/blob/main/Cloud%20App%20and%20Config%20Profile/Cloud%20App%20and%20Config%20Test%20Guide.md#221-ensure-a-support-role-has-been-created-to-manage-incidents-with-aws-support.

Describe alternatives you've considered

None.

Additional context

[rdegraaf]

Looks like there is already such a rule ("iam-no-support-role") in the "detailed" ruleset, but:

1. It doesn't work. The rule is not triggered on an account that does not have the AWSSupportAccess permission policy attached to anything -- presumably because ScoutSuite only enumerates AWS-managed permission policies when they are attached to something within the account.
2. It only requires that the permission policy be attached to something, as opposed to specifically a Role as is required by CIS and ADA.

[rdegraaf]

Fixed in https://github.com/rdegraaf/ScoutSuite/tree/ada-cp-aws. MR to come once I have a few more rules implemented.