Leverage ec2:Encrypted in an EC2 SCP

[KevinHock]

So there exists this condition key:

• ec2:Encrypted
  Filters access by whether the EBS volume is encrypted
  Bool

on a variety of different actions listed in https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

We can leverage it just like in

terraform_aws_scp/security_controls_scp/modules/ec2/deny_public_ec2_ip.tf

Lines 9 to 26 in 521ac29

	actions = [
	"ec2:RunInstances",
	]
	resources = [
	"arn:aws:ec2:*:*:network-interface/*",
	]
	effect = "Deny"
	condition {
	test = "Bool"
	variable = "ec2:AssociatePublicIpAddress"
	values = [
	"true",
	]
	}

Everything from AttachVolume to RunInstances in the list of actions above belong in an Actions list in this SCP.

Important Note

Note -- and this is important -- both the snapshot resource and the volume resource have this condition key. You can see this in the Resource types defined by Amazon EC2 table here https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html. So be sure to keep that in mind when making the SCP.
E.g. in the case referenced above, the only resource type with the ec2:AssociatePublicAddress was the network interface.

So, for example, RunInstances would use the volume resource type whereas [RestoreSnapshotTier](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RestoreSnapshotTier.html) would use the snapshot resource type.

So you'll really want to have 2 Sids (statements) in this SCP IMO.

The Name

I propose deny_unencrypted_ebs.tf.