{
    "Behavior": "PROACTIVE",
    "ComplianceFrameworkMappings": [
        {
            "ComplianceFramework": "NIST 800-53 Rev 5",
            "Ids": [
                "CA-9(1)",
                "CM-2"
            ]
        },
        {
            "ComplianceFramework": "PCI DSS version 3.2.1",
            "Ids": [
                "2.2"
            ]
        }
    ],
    "ControlOwner": "AWS Control Tower",
    "DeploymentMechanism": "AWS CloudFormation Hook",
    "DeploymentOwner": "AWS Control Tower",
    "Description": "This control checks whether Amazon EC2 launch templates that specify an EC2 instance type or use attribute based instance selection, specify only AWS Nitro instance types.",
    "DisplayName": "Require an Amazon EC2 instance to use an AWS Nitro instance type when creating from the 'AWS::EC2::LaunchTemplate' resource type",
    "DocumentationReferences": [
        {
            "DisplayName": "Instances built on the Nitro System",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances"
        }
    ],
    "EvaluatedResourceTypes": [
        "AWS::EC2::LaunchTemplate"
    ],
    "EvaluatedServices": [
        "Amazon EC2"
    ],
    "Groups": [
        "digital-sovereignty"
    ],
    "Guidance": "Elective",
    "Id": "CT.EC2.PR.15",
    "ImplementationType": "CloudFormation guard rule",
    "MinimumSupportedRuntimeVersion": "2.1",
    "Objectives": [
        {
            "Id": "CO.4",
            "Name": "Protect data integrity"
        },
        {
            "Id": "CO.5",
            "Name": "Enforce least privilege"
        }
    ],
    "RegionalPreference": "REGIONAL",
    "Relationships": [
        {
            "ControlId": "CT.EC2.PR.16",
            "ControlOwner": "AWS Control Tower",
            "RelationshipType": "Can be used with (Inclusive)"
        }
    ],
    "ReleaseDate": "2023-11-27",
    "RemediationMessage": "When InstanceType in LaunchTemplateData has been provided, set InstanceType to an EC2 instance type that is based on the AWS Nitro system. When InstanceRequirements in LaunchTemplateData has been provided, set AllowedInstanceTypes to a list of EC2 instance types based on the AWS Nitro system.",
    "Severity": "MEDIUM",
    "SupportedRegions": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-south-2",
        "ap-southeast-1",
        "ap-southeast-2",
        "ap-southeast-3",
        "ap-southeast-4",
        "ca-central-1",
        "eu-central-1",
        "eu-central-2",
        "eu-north-1",
        "eu-south-1",
        "eu-south-2",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "il-central-1",
        "me-central-1",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
    ],
    "TargetOuType": "CUSTOM",
    "Version": "1",
    "Visibility": "PUBLIC"
}