Is your feature request related to a problem? Please describe.

Is your feature request related to a problem? Please describe.

The presence of Deny statements in permission policies is not necessarily a problem: they have totally valid uses. However, attempting to control access to API actions in AWS using a wildcard allow and a deny-list is very difficult and subject to problems since there is frequently more than way to accomplish something, new API actions get added all the time, and permission policy authors frequently fail to consider all available API actions. s3:GetObject is denied? Try s3:GetObjectVersion instead. Both of those are blocked? That might have been adequate until AWS added s3:GetObjectTorrent. kms:ScheduleKeyDeletion is denied? You can still use kms:PutKeyPolicy to make the key unusable by everyone. Etc. And these aren't hypotheticals: I've seen them while reviewing accounts.

Describe the solution you'd like

ScoutSuite should flag permission policies containing Deny statements for specific API actions so that a reviewer can verify that they are appropriate given the account's access control regime and requirements, and that they do not have trivial bypasses.