Profile Applicability:

Level 1

Description:

AWS CloudShell is a browser-based shell for managing AWS resources. It allows users to interact with AWS resources using the AWS CLI, and the AWSCloudShellFullAccess policy grants full access to AWS CloudShell features and capabilities. This SOP ensures that no IAM identities (users, groups, or roles) have the AWSCloudShellFullAccess policy attached unless explicitly needed, as granting unnecessary access may increase security risks.

Rationale:

  • Security: Limiting access to AWS CloudShell through the AWSCloudShellFullAccess policy ensures that users are granted only the necessary permissions to interact with AWS resources.

  • Compliance: Many regulatory frameworks require strict controls over who can access and manage resources in AWS. Limiting the use of AWSCloudShellFullAccess aligns with least privilege principles.

  • Risk Mitigation: Ensuring that AWSCloudShellFullAccess is not attached to unnecessary users, groups, or roles minimizes the risk of over-permissioning and potential misuse of the service.

Impact:

Pros:

  • Reduced Attack Surface: Prevents the accidental or malicious use of CloudShell by unauthorized users.

  • Improved Access Control: Ensures that only authorized entities have access to the full capabilities of CloudShell.

  • Compliance: Helps meet internal and external compliance requirements by following least privilege access principles.

Cons:

  • Operational Complexity: Disabling CloudShell access for users may limit operational efficiency for those who require it for managing AWS resources.

  • Support Overhead: Restricting access may require additional support to configure access when CloudShell is needed for legitimate purposes.

Default Value:

By default, IAM identities (users, groups, roles) do not have the AWSCloudShellFullAccess policy attached unless explicitly assigned by an administrator.

Pre-requisite:

  • AWS IAM Permissions:

    • iam:ListPolicies

    • iam:ListEntitiesForPolicy

    • iam:GetPolicy

    • iam:GetPolicyVersion

  • AWS CLI installed and configured.

  • AWS IAM Roles and User Policies need to be configured in the AWS environment.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM under Security, Identity, & Compliance.

  3. In the IAM Console, go to Policies and search for the AWSCloudShellFullAccess policy.

  4. Select AWSCloudShellFullAccess and review which IAM users, groups, or roles it is attached to.

  5. For each IAM identity, check if the AWSCloudShellFullAccess policy is attached.

Using AWS CLI:

To list all users with the AWSCloudShellFullAccess policy attached, run the following command:

aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess --query 'PolicyRoles[*].RoleName'

To check if a group has the AWSCloudShellFullAccess policy attached, use:

aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess --query 'PolicyGroups[*].GroupName'

To check if a user has the AWSCloudShellFullAccess policy attached, run:

aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess --query 'PolicyUsers[*].UserName'

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to IAM.

  2. In the IAM Console, click on Policies, and search for AWSCloudShellFullAccess.

  3. Identify all IAM users, groups, or roles that have the AWSCloudShellFullAccess policy attached.

  4. Detach the AWSCloudShellFullAccess policy from any unnecessary IAM identities:

    • For users: Navigate to the Users section, select the user, and remove the policy.

    • For groups: Navigate to the Groups section, select the group, and remove the policy.

    • For roles: Navigate to the Roles section, select the role, and remove the policy.

Using AWS CLI:

To detach AWSCloudShellFullAccess from an IAM user, run:

aws iam detach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

To detach the policy from a group, use:

aws iam detach-group-policy --group-name <group-name> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

To detach the policy from a role, run:

aws iam detach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

Backout Plan:

Using Console:

  1. Open the IAM Console.

  2. Check UsersGroups, and Roles under their respective sections.

  3. Look for the AWSCloudShellFullAccess policy in their attached policies.

Using CLI:

For a user:

aws iam list-attached-user-policies --user-name <user-name>

For a group:

aws iam list-attached-group-policies --group-name <group-name>

For a role:

aws iam list-attached-role-policies --role-name <role-name>

  1. Check if the output includes:

    arn:aws:iam::aws:policy/AWSCloudShellFullAccess

Note:

  • User Education: Ensure that users who require access to AWS CloudShell for legitimate reasons are informed about the policy and how it can be re-enabled.

  • Audit Logs: Consider enabling AWS CloudTrail to track changes in IAM policy attachments and detachments, providing visibility into any changes made to user, group, or role permissions.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.