module "ec2_admin_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "ec2-administrator"
policy_type = "iam"
allowed_services = [
"ec2",
"elasticloadbalancing",
"autoscaling",
"cloudwatch"
]
denied_actions = [
# Prevent VPC modifications
"ec2:CreateVpc",
"ec2:DeleteVpc",
"ec2:ModifyVpcAttribute",
# Prevent security group rule changes in production
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
# Prevent large instance launches
"ec2:RunInstances"
]
resource_restrictions = {
ec2 = [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
]
}
}
# Note: Additional instance type restrictions should be
# implemented via Service Control Policies