iCompaas Support

Profile Applicability

• Level 1

Description:

AWS CloudShell provides a browser-based, pre-authenticated shell to interact with AWS resources. While convenient for administrators and developers, it can pose a security risk if not properly controlled. The AWSCloudShellFullAccess managed policy grants broad permissions that allow users to perform various actions using CloudShell, potentially compromising sensitive resources.

To reduce risk, it is crucial to restrict access to the AWSCloudShellFullAccess policy, ensuring that only authorized users or roles are able to access AWS CloudShell. This can be done by removing or limiting the assignment of this policy in your IAM roles or groups.

Rationale:

Restricting access to AWSCloudShellFullAccess provides the following benefits:

• Security control: Limits access to CloudShell, reducing the potential attack surface.
  

• Compliance: Helps meet security policies that require least-privilege access to sensitive AWS resources.
  

• Auditability: Ensures only authorized users can execute operations in AWS CloudShell, preventing accidental or malicious changes to your AWS environment.
  

Without this restriction, unauthorized users could gain access to CloudShell and perform potentially harmful actions in your AWS environment.

Impact:

Failure to restrict access to AWSCloudShellFullAccess can result in:

• Unintentional changes or damage to AWS resources by unauthorized users with broad permissions.
  

• Increased security risk from unauthorized access to sensitive resources or accounts through CloudShell.
  

• Non-compliance with security policies requiring limited access to administrative tools.
  

By restricting access to AWS CloudShell, organizations can minimize security risks associated with broad access permissions.

Default Value:

By default, the AWSCloudShellFullAccess policy is not assigned to any IAM user, group, or role. However, if this policy is granted to users, it provides full access to AWS CloudShell, which should be restricted based on the principle of least privilege.

Pre-Requisites:

• AWS CLI installed and configured
  

• IAM permissions:
  

  • iam:ListPolicies
    

  • iam:ListUsers
    

  • iam:DetachUserPolicy
    

  • iam:PutUserPolicy
    

• Access to the AWS Management Console or AWS CLI with IAM administrator permissions
  

Remediation:

Test Plan:

Using AWS Console:

1. Go to the IAM Console.
   

2. Navigate to Policies and search for AWSCloudShellFullAccess.
   

3. Verify whether this policy is assigned to any IAM users, groups, or roles.
   

4. If the policy is attached, review whether any user or group should have this level of access. If not, remove the policy attachment.
   

Using AWS CLI:

aws iam list-attached-user-policies --user-name <username> --query "AttachedPolicies[?PolicyName=='AWSCloudShellFullAccess']" --output table

To check which IAM roles have the policy attached:

aws iam list-attached-role-policies --role-name <role-name> --query "AttachedPolicies[?PolicyName=='AWSCloudShellFullAccess']" --output table

Implementation Plan:

Using AWS Console:

1. Remove AWSCloudShellFullAccess policy from IAM users, groups, or roles:
   

   • Go to the IAM Console.
     

   • Under Users, Groups, or Roles, find the entities with the AWSCloudShellFullAccess policy attached.
     

   • Detach the policy from any user, group, or role that does not need CloudShell access.
     

2. Verify the changes:
   

   • Ensure that AWSCloudShellFullAccess is no longer attached to any unnecessary IAM entities.
     

Using AWS CLI:

1. Remove AWSCloudShellFullAccess from an IAM user:
   

aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

2. Remove AWSCloudShellFullAccess from an IAM role:
   

   aws iam detach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

3. Verify the policy removal:
   

aws iam list-attached-user-policies --user-name <username> --query "AttachedPolicies[?PolicyName=='AWSCloudShellFullAccess']" --output table

Backout Plan:

Using AWS Console:

1. If restricting access to CloudShell affects legitimate usage:
   

   • Go to the IAM Console.
     

   • Reattach the AWSCloudShellFullAccess policy to the appropriate user, group, or role.
     

2. Review and modify access policies to ensure that only authorized roles are granted the necessary permissions for CloudShell access.
   

Using AWS CLI:

1. Temporarily reattach the AWSCloudShellFullAccess policy:
   

aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

2. Reattach the policy to a role if needed:
   

aws iam attach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

3. Re-enable the policy once issues are resolved:
   

aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

References:

• AWS IAM Documentation
  

• AWS CloudShell Documentation
  

CIS Controls Mapping: