diff --git a/README.md b/README.md index bc94e62..f77d950 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Policy options (listed by `sid`) are: * Protect S3 Buckets (ProtectS3Buckets) * Deny S3 Buckets Public Access (DenyS3BucketsPublicAccess) * Protect IAM Roles (ProtectIAMRoles) +* Restrict EC2 Instance Types (LimitEC2InstanceTypes) * Restrict Regional Operations (LimitRegions) * Require S3 encryption (DenyIncorrectEncryptionHeader + DenyUnEncryptedObjectUploads) @@ -62,6 +63,10 @@ module "github_terraform_aws_ou_scp" { "arn:aws:iam::*:role/OrganizationAccountAccessRole" ] + # restrict EC2 instance types + limit_ec2_instance_types = true + allowed_regions = ["t2.medium"] + # restrict region-specific operations to us-west-2 limit_regions = true # - restrict region-specific operations to us-west-2 @@ -120,6 +125,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [allowed\_ec2\_instance\_types](#input\_allowed\_ec2\_instance\_types) | EC2 instances types allowed for use | `list(string)` |
[
""
]
| no | | [allowed\_regions](#input\_allowed\_regions) | AWS Regions allowed for use (for use with the restrict regions SCP) | `list(string)` |
[
""
]
| no | | [deny\_all](#input\_deny\_all) | If false, create a combined policy. If true, deny all access | `bool` | `false` | no | | [deny\_creating\_iam\_users](#input\_deny\_creating\_iam\_users) | DenyCreatingIAMUsers in the OU policy. | `bool` | `false` | no | @@ -130,6 +136,7 @@ No modules. | [deny\_root\_account](#input\_deny\_root\_account) | DenyRootAccount in the OU policy. | `bool` | `false` | no | | [deny\_s3\_bucket\_public\_access\_resources](#input\_deny\_s3\_bucket\_public\_access\_resources) | S3 bucket resource ARNs to block public access | `list(string)` |
[
""
]
| no | | [deny\_s3\_buckets\_public\_access](#input\_deny\_s3\_buckets\_public\_access) | DenyS3BucketsPublicAccess in the OU policy. | `bool` | `false` | no | +| [limit\_ec2\_instance\_types](#input\_limit\_ec2\_instance\_types) | LimitEC2InstanceTypes in the OU policy. | `bool` | `false` | no | | [limit\_regions](#input\_limit\_regions) | LimitRegions in the OU policy. | `bool` | `false` | no | | [protect\_iam\_role\_resources](#input\_protect\_iam\_role\_resources) | IAM role resource ARNs to protect from modification and deletion | `list(string)` |
[
""
]
| no | | [protect\_iam\_roles](#input\_protect\_iam\_roles) | ProtectIAMRoles in the OU policy. | `bool` | `false` | no | diff --git a/main.tf b/main.tf index 2fd8110..7f7b4fb 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,7 @@ locals { protect_s3_buckets_statement = var.protect_s3_buckets ? [""] : [] deny_s3_buckets_public_access_statement = var.deny_s3_buckets_public_access ? [""] : [] protect_iam_roles_statement = var.protect_iam_roles ? [""] : [] + limit_ec2_instance_types = var.limit_ec2_instance_types ? [""] : [] limit_regions_statement = var.limit_regions ? [""] : [] deny_unencrypted_object_uploads_statement = var.require_s3_encryption ? [""] : [] deny_incorrect_encryption_header_statement = var.require_s3_encryption ? [""] : [] @@ -189,6 +190,31 @@ data "aws_iam_policy_document" "combined_policy_block" { } } + # + # Restrict EC2 Instance Types + # + + dynamic "statement" { + for_each = local.limit_ec2_instance_types + content { + sid = "LimitEC2InstanceTypes" + effect = "Deny" + + actions = [ + "ec2:RunInstances", + "ec2:StartInstances" + ] + + resources = ["*"] + + condition { + test = "StringNotEquals" + variable = "ec2:InstanceType" + values = var.allowed_ec2_instance_types + } + } + } + # # Restrict Regional Operations # diff --git a/variables.tf b/variables.tf index 848d72a..f4dce1a 100644 --- a/variables.tf +++ b/variables.tf @@ -68,6 +68,12 @@ variable "protect_iam_roles" { type = bool } +variable "limit_ec2_instance_types" { + description = "LimitEC2InstanceTypes in the OU policy." + default = false + type = bool +} + variable "limit_regions" { description = "LimitRegions in the OU policy." default = false @@ -106,6 +112,12 @@ variable "allowed_regions" { default = [""] } +variable "allowed_ec2_instance_types" { + description = "EC2 instances types allowed for use" + type = list(string) + default = [""] +} + variable "tags" { description = "Tags applied to the SCP policy" type = map(string)