SCPs DenyEC2NonNitroInstances and DenyEC2InstancesWithoutEncryptionInTransit are too big

[Nuru]

Describe the Bug

The SCPs in catalog/ec2-policies.yaml are too big. There is a limit of 5120 characters to a Service Control Policy.

• DenyEC2NonNitroInstances is 8325 characters when converted to compact JSON
• DenyEC2InstancesWithoutEncryptionInTransit is 5231 characters when converted to compact JSON

Nitro vs Encryption in Transit

There was an assumption, possibly based on AWS documentation, that all Nitro instances automatically performed encryption of network traffic. This is not the case (at least not now). For example. The a1 instances are Nitro but do not support Encryption in Transit. This should be pointed out in the description of DenyEC2NonNitroInstances, because some people may be using it as a proxy for DenyEC2InstancesWithoutEncryptionInTransit.

References:

• Encryption in Transit does not include a1.
• Instances built on the Nitro System lists A1 as a Nitro instance type.
• Confirmed via aws ec2 describe-instance-types

Expected Behavior

SCPs should be valid, including being of an acceptable size.

Steps to Reproduce

Try to deploy the SCP

Screenshots

No response

Environment

No response

Additional Context

DenyEC2NonNitroInstances

My investigation indicates that all sizes of any instance type are either all Nitro or all non-Nitro, so the DenyEC2NonNitroInstances can be shortened by using wildcards instead of listing all sizes.

DenyEC2InstancesWithoutEncryptionInTransit

My investigation found that, at least currently, all sizes of any instance type either all do or do not support Encryption in Transit, so the DenyEC2InstancesWithoutEncryptionInTransit can be shortened by using wildcards instead of listing all sizes.