fix(query): fix fp for s3_bucket_access_to_any_principal

[cx-andre-pereira]

Reason for Proposed Changes

• Currently the query s3_bucket_access_to_any_principal can only determine if a "Principal" has permissions "*" or "s3:*" from YAML files if it has no "!If" statements associated.
• With "!If" statements the flag will trigger every time due to lack of specific case handling . The query does not take into consideration the existence of If´s.
• The If structure is as follows : (YAML)

    - <CONDITION>
    - <THEN>
    - <ELSE>

• The values for <THEN> and <ELSE> require scanning that is currently inexistent. Either of these values can have meaningful policy statements for this query.

Proposed Changes

• Introduced two helper functions (handle_if_statements and handle_if_statement) to correctly traverse and extract valid policy statements from structures resulting from !If conditions.

• This improves the query’s accuracy by avoiding false positives when Principal is not actually "*" in resolved policy logic, and also guarantees the verifications of each and every meaningful object in the if statement be it a <THEN> or <ELSE> associated object.

I submit this contribution under the Apache-2.0 license.

[cx-artur-ribeiro]

Hi André!
First of all, nice work!
Can you take a look at my comments and see if you agree? The suggestions are just quality of life changes, the query seems to work as expected, great job!

Thanks for the work done!

[cx-artur-ribeiro]

LGTM!