Added BypassesNetworkControls risk category and detection logic

[sar9ho]

What does this PR do?

This PR implements the “Bypasses Network Controls” risk category mentioned in #454.

As mentioned in the original issue, some IAM permissions can access resources through AWS managed control planes or service APIs (for example, redshift:GetClusterCredentials via the Redshift Query Editor), bypassing the need for direct network access. In these cases, security groups and NACLs are effectively bypassed.

Changes:

• added a new BypassesNetworkControls risk category with its own severity + description
• added a list of IAM actions that enable these control-plane/out-of-band access paths
• surfaced these findings in PolicyFinding results + included them in ServicesAffected
• added unit tests covering both PolicyFinding & scan_policy behavior to make sure detection is correct

(This essentially gives these permissions a dedicated place instead of forcing them into existing categories like data exfiltration/privilege escalation)

What gif best describes this PR or how it makes you feel?

Completion checklist

• Additions and changes have unit tests
• The pull request has been appropriately labeled using the provided PR labels
• GitHub actions automation is passing (make test, make lint, make security-test, make test-js)
• [N/A] If the UI contents or JavaScript files have been modified, generate a new example report:

# Generate the updated Javascript bundle
make build-js

# Generate the example report
make generate-report

[salesforce-cla]

Thanks for the contribution! Before we can merge this, we need @sar9ho to sign the Salesforce Inc. Contributor License Agreement.