Control: Ensure access to AWSCloudShellFullAccess is restricted
Description
This control checks whether the AWSCloudShellFullAccess policy is attached to any IAM user, group, or role. The control fails if the policy is attached to any IAM user, group, or role.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.iam_user_group_role_cloudshell_fullaccess_restrictedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.iam_user_group_role_cloudshell_fullaccess_restricted --shareSQL
This control uses a named query:
select arn as resource, case when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' else 'ok' end status, case when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'User ' || title || ' has access to AWSCloudShellFullAccess.' else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.' end as reason , account_idfrom aws_iam_userunionselect arn as resource, case when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' else 'ok' end status, case when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Role ' || title || ' has access to AWSCloudShellFullAccess.' else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.' end as reason , account_idfrom aws_iam_roleunionselect arn as resource, case when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' else 'ok' end status, case when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Group ' || title || ' has access to AWSCloudShellFullAccess.' else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.' end as reason , account_idfrom aws_iam_group;