AWS "Managed Policy Allows "sts:AssumeRole" For All Resources" misinterprets permissions boundaries

[rdegraaf-ncc3]

Describe the bug

The AWS rule "IAM Principals With Access to sts:AssumeRole for Resource *" reported a number of target along the lines of the following:

* The role named `FooRole` through the policy `arn:aws:iam::123456789012:policy/Boundary`

Looking into the permissions of FooRole, its permission policies do not allow any STS permissions under any conditions. The "Boundary" permission policy does allow sts:* for the resource *, but it is attached as a permissions boundary, not as a permission policy. As a permissions boundary, it does not grant any permissions; it only limits the permissions that can be granted by attached permission policies. It appears that ScoutSuite is treating the permission boundary as a normal permission policy.