MEDIUM IAM · CIS 1.22

CloudShell full access restricted

Check ID: aws-iam-014

AWS-IAM-014 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if AWSCloudShellFullAccess managed policy is attached to any IAM entity. CloudShell full access allows file upload/download which could be used for data exfiltration.

Why it matters

AWS CloudShell provides a browser-based Linux shell that runs with the caller's IAM credentials. The AWSCloudShellFullAccess policy grants file upload and download capabilities, which an attacker can use for data exfiltration without needing to configure external tools or open network paths. Unlike EC2 instances or Lambda functions, CloudShell traffic exits through AWS-managed networking that bypasses VPC-level controls, making it invisible to VPC Flow Logs and network monitoring tools. An attacker with console access and CloudShell full access can download sensitive data directly to their browser without triggering any network-based alerts. The CIS Benchmark v3.0 added this check specifically because CloudShell was being used as an exfiltration channel in real-world attacks.

Common causes

AWSCloudShellFullAccess is often attached as a convenience policy for developers who use CloudShell for quick debugging tasks. Teams may attach it to broad groups like 'Developers' or 'PowerUsers' without realizing the data transfer implications. The policy name sounds harmless ('just shell access') and does not obviously convey the security risk of unrestricted file upload/download capabilities.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Detach AWSCloudShellFullAccess and use a restricted policy:
aws iam detach-role-policy --role-name ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

Remediation: Terraform

# Use a restricted CloudShell policy instead:
resource "aws_iam_policy" "cloudshell_restricted" {
  name = "CloudShellRestricted"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      { Effect = "Allow", Action = ["cloudshell:CreateEnvironment", "cloudshell:GetEnvironmentStatus"], Resource = "*" },
      { Effect = "Deny", Action = ["cloudshell:PutCredentials", "cloudshell:CreateSession"], Resource = "*" }
    ]
  })
}

Compliance mapping

This check maps to CIS 1.22 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks