#
# This policy denies instance types that aren't based on the Nitro system as documented in the following document:
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances
#
- sid: "DenyNonNitroInstances"
  effect: "Deny"
  actions:
    - "ec2:RunInstances"
  condition:
    - test: "StringNotLike"
      variable: "ec2:InstanceType"
      values:
        - a1.*
        - c5.*
        - c5a.*
        - c5ad.*
        - c5d.*
        - c5n.*
        - c6g.*
        - c6gd.*
        - c6gn.*
        - d3.*
        - d3en.*
        - g4.*
        - i3.metal
        - i3en.*
        - inf1.*
        - m5.*
        - m5a.*
        - m5ad.*
        - m5d.*
        - m5dn.*
        - m5n.*
        - m5zn.*
        - m6g.*
        - m6gd.*
        - mac1.metal
        - p3dn.24xlarge
        - p4.*
        - r5.*
        - r5a.*
        - r5ad.*
        - r5b.*
        - r5d.*
        - r5dn.*
        - r5n.*
        - r6g.*
        - r6gd.*
        - t3.*
        - t3a.*
        - t4g.*
        - u-12tb1.metal
        - u-18tb1.metal
        - u-24tb1.metal
        - u-6tb1.metal
        - u-9tb1.metal
        - z1d.*
  resources:
    - "arn:aws:ec2:*:*:instance/*"

# This policy denies instance types that aren't based on the Nitro system and don't support Encryption-in-Transit as
# described in the following document:
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit
- sid: "DenyInstancesWithoutEncryptionInTransit"
  effect: "Deny"
  actions:
    - "ec2:RunInstances"
  condition:
    - test: "StringNotLike"
      variable: "ec2:InstanceType"
      values:
        - c5a.*
        - c5ad.*
        - c5n.*
        - c6gn.*
        - d3.*
        - d3en.*
        - g4ad.*
        - g4dn.*
        - i3en.*
        - m5dn.*
        - m5n.*
        - m5zn.*
        - p3dn.*
        - p4d.*
        - r5dn.*
        - r5n.*
  resources:
    - "arn:aws:ec2:*:*:instance/*"