Add check CKV_AWS_341: Ensure IAM role max session duration does not exceed 1 hour

[Sage-Canty]

Describe the issue
Checkov currently has no check for max_session_duration on aws_iam_role resources. Terraform allows this value to be set up to 43200 seconds (12 hours), but AWS and CIS benchmarks recommend keeping it at or below 3600 seconds (1 hour). A role with an elevated max session duration extends the blast radius of a compromised credential — an attacker who assumes the role gets a longer-lived token before it expires.

New check: CKV_AWS_341 — "Ensure IAM role max session duration does not exceed 1 hour"

• Resource: aws_iam_role
• Pass: max_session_duration not set (defaults to 3600) or <= 3600
• Fail: max_session_duration > 3600
• Unknown: value is a variable reference (cannot evaluate at scan time)

Examples

PASS:

resource "aws_iam_role" "pass" {
  name               = "pass_role"
  assume_role_policy = data.aws_iam_policy_document.assume.json
  # max_session_duration not set, defaults to 3600
}

PASS:

resource "aws_iam_role" "pass_explicit" {
  name                 = "pass_role"
  assume_role_policy   = data.aws_iam_policy_document.assume.json
  max_session_duration = 3600
}

FAIL:

resource "aws_iam_role" "fail" {
  name                 = "fail_role"
  assume_role_policy   = data.aws_iam_policy_document.assume.json
  max_session_duration = 43200
}

Version

• Checkov Version: latest

Additional context
6 unit tests included in the PR. All pass locally. Happy to submit a PR if this looks good.

[Sage-Canty]

PR submitted: #7522