chore(iot): cannot set a value greater than 3650 days for deviceCertificateAgeCheckDuration (aws#35365)

### Issue # (if applicable)

None

### Reason for this change

`deviceCertificateAgeCheckDuration` has a upper bound value (3652 days) but we cannot deploy `AccountAuditConfiguration` construct when this duration is set 3651-3652 days.

```console
10:51:08 PM | UPDATE_FAILED        | AWS::IoT::AccountAuditConfiguration | AuditConfiguration8C793652
Resource handler returned message: "Certificate age threshold is greater than the maximum supported threshold of 3650 days. (Service: Iot, Status Code: 400, Request ID: 20cddf20-
f5a5-4f4b-8fee-140be1305778) (SDK Attempt Count: 1)" (RequestToken: 931fdbeb-f895-c970-b0a5-5e7a2f9a86be, HandlerErrorCode: InvalidRequest)
```

[AWS docs](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-certificate-age-check.html) states that upper bound value is 3652 days but I think this statement is wrong.

### Description of changes

- set update upper bound value to 3650 days from 3652 days

### Describe any new or updated permissions being added

None

### Description of how you validated changes

update unit test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: badmintoncryer

packages/@aws-cdk/aws-iot-alpha/README.md

@@ -150,7 +150,7 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
   checkConfiguration: {
     deviceCertificateAgeCheck: true,
     // The default value is 365 days
-    // Valid values range from 30 days (minimum) to 3652 days (10 years, maximum)
+    // Valid values range from 30 days (minimum) to 3650 days (10 years, maximum)
     deviceCertificateAgeCheckDuration: Duration.days(365),
   },
 });

packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts

@@ -71,7 +71,7 @@ export interface CheckConfiguration {
    * The duration used to check if a device certificate has been active
    * for a number of days greater than or equal to the number you specify.
    *
-   * Valid values range from 30 days (minimum) to 3652 days (10 years, maximum).
+   * Valid values range from 30 days (minimum) to 3650 days (10 years, maximum).
    *
    * You cannot specify a value for this check if `deviceCertificateAgeCheck` is set to `false`.
    *
@@ -231,8 +231,8 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit
       if (props?.checkConfiguration?.deviceCertificateAgeCheck === false) {
         throw new Error('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.');
       }
-      if (!deviceAgeCheckThreshold.isUnresolved() && deviceAgeCheckThreshold.toDays() < 30 || deviceAgeCheckThreshold.toDays() > 3652) {
-        throw new Error(`The device certificate age check threshold must be between 30 and 3652 days. got: ${deviceAgeCheckThreshold.toDays()} days.`);
+      if (!deviceAgeCheckThreshold.isUnresolved() && deviceAgeCheckThreshold.toDays() < 30 || deviceAgeCheckThreshold.toDays() > 3650) {
+        throw new Error(`The device certificate age check threshold must be between 30 and 3650 days. got: ${deviceAgeCheckThreshold.toDays()} days.`);
       }
     }
 

packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts

@@ -147,15 +147,15 @@ test('throw error for configuring duration without enabling deviceCertificateAge
 
 test.each([
   cdk.Duration.days(29),
-  cdk.Duration.days(3653),
+  cdk.Duration.days(3651),
 ])('throw error for invalid duration %s', (duration) => {
   const stack = new cdk.Stack();
   expect(() => new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', {
     checkConfiguration: {
       deviceCertificateAgeCheck: true,
       deviceCertificateAgeCheckDuration: duration,
     },
-  })).toThrow(`The device certificate age check threshold must be between 30 and 3652 days. got: ${duration.toDays()} days.`);
+  })).toThrow(`The device certificate age check threshold must be between 30 and 3650 days. got: ${duration.toDays()} days.`);
 });
 
 test('import by Account ID', () => {