turbot/steampipe-mod-aws-compliance

Control: 2.21 Ensure access to AWSCloudShellFullAccess is restricted

Description

AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment, a user has sudo permissions and can access the internet. Therefore, it is feasible to install file transfer software, for example, and move data from CloudShell to external internet servers.

Remediation

From Console:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the left pane, select Policies.
  3. Search for and select AWSCloudShellFullAccess.
  4. On the Entities attached tab, for each item, check the box and select Detach.

Default Value:

By default, the AWS managed policy AWSCloudShellFullAccess exists but is not attached to any users, groups, or roles. It must be explicitly assigned to grant permissions.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_2_21

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_2_21 --share

SQL

This control uses a named query:

select
arn as resource,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
else 'ok'
end status,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'User ' || title || ' has access to AWSCloudShellFullAccess.'
else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.'
end as reason
, account_id
from
aws_iam_user
union
select
arn as resource,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
else 'ok'
end status,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Role ' || title || ' has access to AWSCloudShellFullAccess.'
else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.'
end as reason
, account_id
from
aws_iam_role
union
select
arn as resource,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
else 'ok'
end status,
case
when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Group ' || title || ' has access to AWSCloudShellFullAccess.'
else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.'
end as reason
, account_id
from
aws_iam_group;

Tags