Merge pull request #29 from dod-iac/limit_ec2_instance_types

limit ec2 instance types
trussworks · Nov 8, 2022 · 4620359 · 4620359
2 parents 36f26d5 + b9a19f2
commit 4620359
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ Policy options (listed by `sid`) are:
 * Protect S3 Buckets (ProtectS3Buckets)
 * Deny S3 Buckets Public Access (DenyS3BucketsPublicAccess)
 * Protect IAM Roles (ProtectIAMRoles)
+* Restrict EC2 Instance Types (LimitEC2InstanceTypes)
 * Restrict Regional Operations (LimitRegions)
 * Require S3 encryption (DenyIncorrectEncryptionHeader + DenyUnEncryptedObjectUploads)
 
@@ -62,6 +63,10 @@ module "github_terraform_aws_ou_scp" {
     "arn:aws:iam::*:role/OrganizationAccountAccessRole"
   ]
 
+  # restrict EC2 instance types
+  limit_ec2_instance_types   = true
+  allowed_ec2_instance_types = ["t2.medium"]
+
   # restrict region-specific operations to us-west-2
   limit_regions                 = true
   # - restrict region-specific operations to us-west-2
@@ -120,6 +125,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_allowed_ec2_instance_types"></a> [allowed\_ec2\_instance\_types](#input\_allowed\_ec2\_instance\_types) | EC2 instances types allowed for use | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_allowed_regions"></a> [allowed\_regions](#input\_allowed\_regions) | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_deny_all"></a> [deny\_all](#input\_deny\_all) | If false, create a combined policy. If true, deny all access | `bool` | `false` | no |
 | <a name="input_deny_creating_iam_users"></a> [deny\_creating\_iam\_users](#input\_deny\_creating\_iam\_users) | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no |
@@ -130,6 +136,7 @@ No modules.
 | <a name="input_deny_root_account"></a> [deny\_root\_account](#input\_deny\_root\_account) | DenyRootAccount in the OU policy. | `bool` | `false` | no |
 | <a name="input_deny_s3_bucket_public_access_resources"></a> [deny\_s3\_bucket\_public\_access\_resources](#input\_deny\_s3\_bucket\_public\_access\_resources) | S3 bucket resource ARNs to block public access | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_deny_s3_buckets_public_access"></a> [deny\_s3\_buckets\_public\_access](#input\_deny\_s3\_buckets\_public\_access) | DenyS3BucketsPublicAccess in the OU policy. | `bool` | `false` | no |
+| <a name="input_limit_ec2_instance_types"></a> [limit\_ec2\_instance\_types](#input\_limit\_ec2\_instance\_types) | LimitEC2InstanceTypes in the OU policy. | `bool` | `false` | no |
 | <a name="input_limit_regions"></a> [limit\_regions](#input\_limit\_regions) | LimitRegions in the OU policy. | `bool` | `false` | no |
 | <a name="input_protect_iam_role_resources"></a> [protect\_iam\_role\_resources](#input\_protect\_iam\_role\_resources) | IAM role resource ARNs to protect from modification and deletion | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_protect_iam_roles"></a> [protect\_iam\_roles](#input\_protect\_iam\_roles) | ProtectIAMRoles in the OU policy. | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
@@ -16,6 +16,7 @@ locals {
   protect_s3_buckets_statement               = var.protect_s3_buckets ? [""] : []
   deny_s3_buckets_public_access_statement    = var.deny_s3_buckets_public_access ? [""] : []
   protect_iam_roles_statement                = var.protect_iam_roles ? [""] : []
+  limit_ec2_instance_types                   = var.limit_ec2_instance_types ? [""] : []
   limit_regions_statement                    = var.limit_regions ? [""] : []
   deny_unencrypted_object_uploads_statement  = var.require_s3_encryption ? [""] : []
   deny_incorrect_encryption_header_statement = var.require_s3_encryption ? [""] : []
@@ -189,6 +190,31 @@ data "aws_iam_policy_document" "combined_policy_block" {
     }
   }
 
+  #
+  # Restrict EC2 Instance Types
+  #
+
+  dynamic "statement" {
+    for_each = local.limit_ec2_instance_types
+    content {
+      sid    = "LimitEC2InstanceTypes"
+      effect = "Deny"
+
+      actions = [
+        "ec2:RunInstances",
+        "ec2:StartInstances"
+      ]
+
+      resources = ["*"]
+
+      condition {
+        test     = "StringNotEquals"
+        variable = "ec2:InstanceType"
+        values   = var.allowed_ec2_instance_types
+      }
+    }
+  }
+
   #
   # Restrict Regional Operations
   #

diff --git a/variables.tf b/variables.tf
@@ -68,6 +68,12 @@ variable "protect_iam_roles" {
   type        = bool
 }
 
+variable "limit_ec2_instance_types" {
+  description = "LimitEC2InstanceTypes in the OU policy."
+  default     = false
+  type        = bool
+}
+
 variable "limit_regions" {
   description = "LimitRegions in the OU policy."
   default     = false
@@ -106,6 +112,12 @@ variable "allowed_regions" {
   default     = [""]
 }
 
+variable "allowed_ec2_instance_types" {
+  description = "EC2 instances types allowed for use"
+  type        = list(string)
+  default     = [""]
+}
+
 variable "tags" {
   description = "Tags applied to the SCP policy"
   type        = map(string)