Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update/Fix EC2 Policies #49

Merged
merged 2 commits into from
Apr 12, 2024
Merged

Update/Fix EC2 Policies #49

merged 2 commits into from
Apr 12, 2024

Conversation

Nuru
Copy link
Sponsor Contributor

@Nuru Nuru commented Apr 12, 2024
edited
Loading

Warning

When the DenyEC2NonNitroInstances policy was first introduced, it was primarily intended
to ensure that network traffic was encrypted in transit, which was seen to be a feature
that all Nitro instances supported and all non-Nitro instances did not. However, this
is not the case, as instance families such as a1, t3, and t4g are Nitro based but
do not support network traffic encryption in transit.

As such, the DenyEC2NonNitroInstances policy is not a reliable way to ensure that
network traffic is encrypted in transit. It is recommended that you use the
DenyEC2InstancesWithoutEncryptionInTransit policy instead if that is your goal.

what

  • Update/fix EC2 Policies DenyEC2InstancesWithoutEncryptionInTransit and DenyEC2NonNitroInstances
  • Update test framework (even though testing does not work)

why

  • Prior policies exceeded 5120-character length limit and were also out of date
  • Satisfy Dependabot

references

@Nuru Nuru added the bugfix Change that restores intended behavior label Apr 12, 2024
@Nuru Nuru requested review from dudymas and aknysh April 12, 2024 10:11
@Nuru Nuru requested review from a team as code owners April 12, 2024 10:11
dudymas
dudymas approved these changes Apr 12, 2024
View reviewed changes
Copy link

@dudymas dudymas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Thanks for the fix and the explanation on the nitro instance changes.

@Nuru Nuru merged commit 4bce9de into main Apr 12, 2024
18 checks passed
@Nuru Nuru deleted the nitro-enc-in-transit branch April 12, 2024 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dudymas dudymas dudymas approved these changes

@aknysh aknysh Awaiting requested review from aknysh

@nitrocode nitrocode Awaiting requested review from nitrocode nitrocode is a code owner automatically assigned from cloudposse/contributors

@gberenice gberenice Awaiting requested review from gberenice gberenice is a code owner automatically assigned from cloudposse/contributors

Assignees
No one assigned
Labels
bugfix Change that restores intended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SCPs DenyEC2NonNitroInstances and DenyEC2InstancesWithoutEncryptionInTransit are too big
2 participants
@Nuru @dudymas