Managing AWS CloudShell access and usage with IAM policies
With the access management resources that can be provided by AWS Identity and Access Management (IAM), administrators can grant permissions to IAM users. That way, these users can access AWS CloudShell and use the environment's features. Administrators can also create policies that specify at a granular level what actions those users can perform with the shell environment.
The quickest way for an administrator to grant access to users is through an AWS managed policy. An AWS managed policy is a standalone policy that's created and administered by AWS. The following AWS managed policy for AWS CloudShell can be attached to IAM identities:
-
AWSCloudShellFullAccess: Grants permission to use AWS CloudShell with full access to all features.
The AWSCloudShellFullAccess policy uses the wildcard (*) character to give the IAM identity (user, role, or group) full access to CloudShell and features. You can also use the AWSCloudShellFullAccess policy as a template for custom policies that are more restrictive in terms of permitted user actions.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudShellUser", "Effect": "Allow", "Action": [ "cloudshell:*" ], "Resource": "*" }] }
Note
IAM identities with the following AWS managed policies can also launch CloudShell. However, these policies provide extensive permissions. So, we recommend that you only grant these policies if they're essential for an IAM user's job role.
-
Administrator: Provides IAM users with full access and allows them to delegate permissions to every service and resource in AWS.
-
Developer power user: Enables IAM users to perform application development tasks and create and configure resources and services that support AWS aware application development.
For more information about attaching managed policies, see Adding IAM identity permissions (console) in the IAM User Guide.
Managing allowable actions in AWS CloudShell using custom policies
To manage the actions that an IAM user can perform with CloudShell, create a custom policy that uses the AWSCloudShellFullAccess managed policy as a template. Alternatively, edit an inline policy that's embedded in the relevant IAM identity (user, group, or role).
For example, you can allow users to access CloudShell but prevent them from uploading or downloading files within the shell environment. You can also explicitly deny users access to CloudShell.
Important
To launch AWS CloudShell from the AWS Management Console, an IAM user needs permissions for the following actions:
-
CreateEnvironment
-
CreateSession
-
GetEnvironmentStatus
-
StartEnvironment
If one of these actions isn't explicitly allowed by an attached policy, an IAM permissions error is returned when you try to launch CloudShell.
AWS CloudShell permissions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name | Description of permission granted | Required to launch CloudShell? | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Create a CloudShell environment, retrieve the layout at the start of the CloudShell session, and save the current layout from the webapp in the backend |
Yes |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Connect to a CloudShell environment from the AWS Management Console |
Yes |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Read the status of a CloudShell environment |
Yes |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Delete a CloudShell environment |
No |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Generate pre-signed Amazon S3 URLs which are used to download files through CloudShell using the CloudShell web interface |
No |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Generate pre-signed Amazon S3 URLs which are used to upload files through CloudShell using the CloudShell web interface |
No |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Forward the credentials used to log in to the AWS Management Console to CloudShell |
No |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Start a CloudShell environment that's stopped |
Yes |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Stop a CloudShell environment that's running |
No |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Examples of IAM policies for CloudShell
The following examples show how policies can be created to restrict who can access CloudShell. The examples also show the actions that can be performed in the shell environment.
This following policy enforces a complete denial of access to CloudShell and its features.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "DenyCloudShell", "Effect": "Deny", "Action": [ "cloudshell:*" ], "Resource": "*" }] }
This following policy allows IAM users to access CloudShell but blocks them from
generating pre-signed URLs for file upload and download. Users can still transfer files to
and from the environment, using clients like wget for example.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudShellUser", "Effect": "Allow", "Action": [ "cloudshell:*" ], "Resource": "*" }, { "Sid": "DenyUploadDownload", "Effect": "Deny", "Action": [ "cloudshell:GetFileDownloadUrls", "cloudshell:GetFileUploadUrls" ], "Resource": "*" }] }
The following policy allows IAM users to access CloudShell. However, the policy prevents the credentials that you used to log in to AWS Management Console from being forwarded to the CloudShell environment. IAM users with this policy need to manually configure their credentials within CloudShell.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudShellUser", "Effect": "Allow", "Action": [ "cloudshell:*" ], "Resource": "*" }, { "Sid": "DenyCredentialForwarding", "Effect": "Deny", "Action": [ "cloudshell:PutCredentials" ], "Resource": "*" }] }
Permissions for accessing AWS services
CloudShell uses the IAM credentials that you used to sign in to the AWS Management Console.
Note
To use the IAM credentials that you used to sign in to the AWS Management Console, you must have
cloudshell:PutCredentials permission.
This pre-authentication feature of CloudShell makes it convenient to use AWS CLI. However, an IAM user still requires explicit permissions for the AWS services that are called from the command line.
For example, suppose that IAM users are required to create Amazon S3 buckets and upload files as objects to them. You can create a policy that explicitly allows those actions. The IAM console provides an interactive visual editor that guides through the process of building up a JSON-formatted policy document. After the policy is created, you can attach it to relevant IAM identity (user, group, or role).
For more information about attaching managed policies, see Adding IAM identity permissions (console) in the IAM User Guide.
