You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The SCPs in catalog/ec2-policies.yaml are too big. There is a limit of 5120 characters to a Service Control Policy.
DenyEC2NonNitroInstances is 8325 characters when converted to compact JSON
DenyEC2InstancesWithoutEncryptionInTransit is 5231 characters when converted to compact JSON
Nitro vs Encryption in Transit
There was an assumption, possibly based on AWS documentation, that all Nitro instances automatically performed encryption of network traffic. This is not the case (at least not now). For example. The a1 instances are Nitro but do not support Encryption in Transit. This should be pointed out in the description of DenyEC2NonNitroInstances, because some people may be using it as a proxy for DenyEC2InstancesWithoutEncryptionInTransit.
SCPs should be valid, including being of an acceptable size.
Steps to Reproduce
Try to deploy the SCP
Screenshots
No response
Environment
No response
Additional Context
DenyEC2NonNitroInstances
My investigation indicates that all sizes of any instance type are either all Nitro or all non-Nitro, so the DenyEC2NonNitroInstances can be shortened by using wildcards instead of listing all sizes.
DenyEC2InstancesWithoutEncryptionInTransit
My investigation found that, at least currently, all sizes of any instance type either all do or do not support Encryption in Transit, so the DenyEC2InstancesWithoutEncryptionInTransit can be shortened by using wildcards instead of listing all sizes.
The text was updated successfully, but these errors were encountered:
Describe the Bug
The SCPs in
catalog/ec2-policies.yaml
are too big. There is a limit of 5120 characters to a Service Control Policy.DenyEC2NonNitroInstances
is 8325 characters when converted to compact JSONDenyEC2InstancesWithoutEncryptionInTransit
is 5231 characters when converted to compact JSONNitro vs Encryption in Transit
There was an assumption, possibly based on AWS documentation, that all Nitro instances automatically performed encryption of network traffic. This is not the case (at least not now). For example. The
a1
instances are Nitro but do not support Encryption in Transit. This should be pointed out in the description ofDenyEC2NonNitroInstances
, because some people may be using it as a proxy forDenyEC2InstancesWithoutEncryptionInTransit
.References:
a1
.aws ec2 describe-instance-types
Expected Behavior
SCPs should be valid, including being of an acceptable size.
Steps to Reproduce
Try to deploy the SCP
Screenshots
No response
Environment
No response
Additional Context
DenyEC2NonNitroInstances
My investigation indicates that all sizes of any instance type are either all Nitro or all non-Nitro, so the
DenyEC2NonNitroInstances
can be shortened by using wildcards instead of listing all sizes.DenyEC2InstancesWithoutEncryptionInTransit
My investigation found that, at least currently, all sizes of any instance type either all do or do not support Encryption in Transit, so the
DenyEC2InstancesWithoutEncryptionInTransit
can be shortened by using wildcards instead of listing all sizes.The text was updated successfully, but these errors were encountered: