Back to All Checks
Medium IAM

IAM identities should not have AWSCloudShellFullAccess policy

CIS v5.0.0ISO 27001

Description

This control checks if an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has this policy attached. AWS CloudShell allows running CLI commands against AWS services. This policy grants full access to CloudShell, including file upload/download between a user's local system and the CloudShell environment. Users within CloudShell have sudo permissions and internet access. Attaching this policy enables them to install file transfer software and move data to external internet servers.

Remediation

To remediate IAM identities with AWSCloudShellFullAccess policy, you need to remove this policy from all IAM identities.

Steps

  1. Navigate to the AWS IAM console
  2. Go to 'Users', 'Roles', or 'Groups' in the left navigation
  3. Review each IAM identity's attached policies
  4. Identify identities with AWSCloudShellFullAccess policy
  5. Remove the AWSCloudShellFullAccess policy from these identities
  6. Replace with more restrictive policies if CloudShell access is needed
  7. Consider using least privilege principles for CloudShell access
  8. Document policy changes for audit purposes
  9. Review and update IAM policies regularly
  10. Implement policy monitoring to prevent future violations

Compliance

CIS v5.0.0ISO 27001
Start Your Free Security Check