1.22 Ensure access to AWSCloudShellFullAccess is restricted

Information

AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.

Rationale:

Access to this policy should be restricted as it presents a potential channel for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy which denies file transfer permissions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Console

Open the IAM console at https://console.aws.amazon.com/iam/

In the left pane, select Policies

Search for and select AWSCloudShellFullAccess

On the Entities attached tab, for each item, check the box and select Detach

See Also

https://workbench.cisecurity.org/benchmarks/14207

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv7|14

Plugin: amazon_aws

Control ID: d70807c045d535f8da3157e5f9d652e5e0b899a7f563072558ae73ae9f094cf6