Managing AWS CloudShell access and usage with IAM policies - AWS CloudShell

Managing AWS CloudShell access and usage with IAM policies

With the access management resources provided by AWS Identity and Access Management (IAM), administrators can grant permissions to IAM users so they can access AWS CloudShell and use the environment's features. Administrators can also create policies that specify at a granular level what actions those users can perform with the shell environment.

The quickest way for an administrator to grant access to users is through an AWS managed policy. An AWS managed policy is a standalone policy that's created and administered by AWS. The following AWS managed policy for AWS CloudShell can be attached to IAM identities:

  • AWSCloudShellFullAccess: Grants permission to use AWS CloudShell with full access to all features.

The AWSCloudShellFullAccess policy uses the wildcard (*) character to give the IAM identity (user, role, or group) full access to AWS CloudShell and features. You can also use the AWSCloudShellFullAccess policy as a template for custom policies that are more restrictive in terms of permitted user actions.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudShellUser", "Effect": "Allow", "Action": [ "cloudshell:*" ], "Resource": "*" }] }
Note

IAM identities with the AWS managed policies listed below can also launch AWS CloudShell. But as these policies provide very extensive permissions, the principle of least privilege means they should only be granted if they're essential for an IAM user's job role.

  • Administrator: Provides users with full access and allows them to delegate permissions to every service and resource in AWS.

  • Developer power user: Enables users to perform application development tasks and create and configure resources and services that support AWS-aware application development.

For more information on attaching managed policies, see Adding IAM identity permissions (console) in the IAM User Guide.

Managing allowable actions in AWS CloudShell using custom policies

To manage the scope of actions that an IAM user can perform with AWS CloudShell, you can create a custom policy that uses the AWSCloudShellFullAccess managed policy as a template. Alternatively, you can edit an inline policy that's embedded in the relevant IAM identity (user, group, or role).

For example, you can allow users to access AWS CloudShell but prevent them from uploading or downloading files within the shell environment. You can also explicitly deny users access to AWS CloudShell.

Important

To launch AWS CloudShell from the AWS Management Console, an IAM user needs permissions for the following actions:

  • CreateEnvironment

  • CreateSession

  • GetEnvironmentStatus

  • StartEnvironment

If any of these actions aren't explicitly allowed by an attached policy, an IAM permissions error is returned when you try to launch CloudShell.

AWS CloudShell permissions
Name Description of permission granted Required to launch CloudShell?

cloudshell:CreateEnvironment

Create a CloudShell environment

Yes

cloudshell:CreateSession

Connect to a CloudShell environment from the AWS Management Console

Yes

cloudshell:GetEnvironmentStatus

Read the status of a CloudShell environment

Yes

cloudshell:DeleteEnvironment

Delete a CloudShell environment

No

cloudshell:GetFileDownloadUrls

Download files from CloudShell to a local machine

No

cloudshell:GetFileUploadUrls

Upload files from a local machine to CloudShell

No

cloudshell:PutCredentials

Forward the credentials used to log in to the AWS Management Console to CloudShell

No

cloudshell:StartEnvironment

Start a CloudShell environment that's stopped

Yes

cloudshell:StopEnvironment

Stop a CloudShell environment that's running

No

Examples of IAM policies for CloudShell

The following examples show how policies can be created to restrict who can access AWS CloudShell and the actions that can be performed in the shell environment.

This policy enforces a complete denial of access to AWS CloudShell and its features:

{ "Version": "2012-10-17", "Statement": [{ "Sid": "DenyCloudShell", "Effect": "Deny", "Action": [ "cloudshell:*" ], "Resource": "*" }] }

This policy allows users to access AWS CloudShell but blocks them from uploading and downloading files in the shell environment:

{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudShellUser", "Effect": "Allow", "Action": [ "cloudshell:*" ], "Resource": "*" }, { "Sid": "DenyUploadDownload", "Effect": "Deny", "Action": [ "cloudshell:GetFileDownloadUrls", "cloudshell:GetFileUploadUrls" ], "Resource": "*" }] }

The following policy allows users to access AWS CloudShell but prevents the credentials you used to log in to AWS Management Console from being forwarded to the CloudShell environment. Users with this policy need to manually configure their credentials within AWS CloudShell.

{ "Version": "2012-10-17", "Statement": [{ "Sid": "CloudShellUser", "Effect": "Allow", "Action": [ "cloudshell:*" ], "Resource": "*" }, { "Sid": "DenyCredentialForwarding", "Effect": "Deny", "Action": [ "cloudshell:PutCredentials" ], "Resource": "*" }] }

Permissions for accessing AWS services

AWS CloudShell uses the IAM credentials you used to sign in to the AWS Management Console. This pre-authentication feature of AWS CloudShell makes it very convenient to use AWS CLI. But an IAM user still requires explicit permissions for the AWS services that are called from the command line.

For example, if IAM users are required to create Amazon S3 buckets and upload files as objects to them, you can create a policy that explicitly allows those actions. The IAM console provides an intuitive visual editor that guides you through the process of building up a JSON-formatted policy document. After the policy is created, you can attach it to relevant IAM identity (user, group, or role).

For more information on attaching managed policies, see Adding IAM identity permissions (console) in the IAM User Guide.