Description

AWS CloudShell is a convenient way to run CLI commands against AWS services. The AWSCloudShellFullAccess managed IAM policy provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment, a user has sudo permissions and can access the internet. This makes it feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.

Rationale

Access to this policy should be restricted, as it presents a potential channel for data exfiltration by malicious cloud admins who are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy that denies file transfer permissions.

Audit

From Console

Open the IAM console at https://console.aws.amazon.com/iam/.
In the left pane, select Policies.
Search for and select AWSCloudShellFullAccess.
On the Entities attached tab, ensure that there are no entities using this policy.

From Command Line

List IAM policies, filter for the AWSCloudShellFullAccess managed policy, and note the Arn element value:
```
aws iam list-policies --query "Policies[?PolicyName == 'AWSCloudShellFullAccess']"
```

Check if the AWSCloudShellFullAccess policy is attached to any role:

aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

In the output, ensure PolicyRoles returns empty.

Example:
```
PolicyRoles: [ ]
```

Note: Keep in mind that other policies may grant access.

References

https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html

Rationale​

Audit​

From Console​

From Command Line​

References​

Rationale

Audit

From Console

From Command Line

References