Profile Applicability:

Level 1

Description:

AWS CloudShell provides a pre-authenticated command-line interface (CLI) for interacting with AWS services.

  • The AWSCloudShellFullAccess IAM policy grants full access to CloudShell, allowing users to upload/download files and run commands with sudo privileges.

  • Users with this policy can install data exfiltration tools or transfer sensitive data to external systems.

Rationale:

  • AWSCloudShellFullAccess allows unrestricted sudo access, meaning malicious actors can install unauthorized tools.

  • Potential data exfiltration risk – users can upload and download files between AWS CloudShell and their local system.

  • Excessive access violates the principle of least privilege and increases security risk.

Impact:

  • If AWSCloudShellFullAccess is removed from all users, CloudShell will be unavailable.

  • Existing workflows that rely on CloudShell access may break unless alternative permissions are provided.

  • Restricting AWSCloudShellFullAccess may require users to switch to the AWS CLI on their local machine.

Default Value:

By default:

  • AWSCloudShellFullAccess is not attached to any users or roles.

  • Users must be explicitly granted this policy to use CloudShell with full privileges.

Pre-Requisites:

  1. IAM Administrator Access

    • Permissions: iam:ListPolicies, iam:ListEntitiesForPolicy, iam:DetachUserPolicy

  2. AWS CLI Installed (for automation)

  3. Identify users, roles, and groups assigned AWSCloudShellFullAccess

  4. Create a more restrictive policy for AWS CloudShell users

Remediation:

Test Plan:

Using AWS Console

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Policies.

                       

  1. Search for AWSCloudShellFullAccess.

  2. Click on Entities Attached.

           

  1. Ensure no IAM users, roles, or groups are attached to this policy.

Using AWS CLI

Step 1: List IAM Policies and Find AWSCloudShellFullAccess

aws iam list-policies --query "Policies[?PolicyName=='AWSCloudShellFullAccess']"
  • This command checks if the policy exists in your AWS account.

Step 2: Check Who Has AWSCloudShellFullAccess Attached

aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess
  • If PolicyRoles, PolicyUsers, or PolicyGroups contain entities, those entities have access to CloudShell.

Example Output (Non-Compliant):

{
  "PolicyRoles": ["AdminRole"],
  "PolicyUsers": ["JohnDoe"],
  "PolicyGroups": []
}
  • AdminRole and JohnDoe have full CloudShell access and must be remediated.

Step 3: Verify If Other Policies Grant CloudShell Access

aws iam list-policies --query "Policies[?contains(PolicyName, 'CloudShell')]"
  • If other custom policies provide CloudShell access, they should be reviewed. 


Implementation Steps:

Step 1: Detach AWSCloudShellFullAccess from Users, Roles, and Groups

Using AWS Console

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Policies.

                     

  1. Search for AWSCloudShellFullAccess and select it.                  

  2. Click Entities Attached → For each user, role, or group, check the box and click Detach.

                 

   

Using AWS CLI

Detach the policy from IAM users:

aws iam detach-user-policy --user-name <UserName> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

Detach the policy from IAM groups:

aws iam detach-group-policy --group-name <GroupName> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

Detach the policy from IAM roles:

aws iam detach-role-policy --role-name <RoleName> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

Step 2: Restrict CloudShell Access with a Custom IAM Policy

  • Instead of removing CloudShell entirely, create a restricted policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudshell:CreateEnvironment",
                "cloudshell:GetEnvironmentStatus",
                "cloudshell:StartEnvironment"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "cloudshell:PutFile",
                "cloudshell:GetFile"
            ],
            "Resource": "*"
        }
    ]
}
  • Save the JSON policy file as RestrictedCloudShellAccess.json.
  1. Create a new IAM policy using AWS CLI:
aws iam create-policy --policy-name RestrictedCloudShellAccess --policy-document file://RestrictedCloudShellAccess.json
  • Attach this policy to specific IAM users or groups:
aws iam attach-user-policy --user-name <UserName> --policy-arn arn:aws:iam::aws:policy/RestrictedCloudShellAccess

Backout Plan:

If users require CloudShell access, follow these steps:

  • Re-attach AWSCloudShellFullAccess to specific users/groups:
aws iam attach-user-policy --user-name <UserName> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

  • Modify the restricted policy to allow specific actions.

References: