Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 2.21 Ensure access to AWSCloudShellFullAccess is restricted

Description

AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment, a user has sudo permissions and can access the internet. Therefore, it is feasible to install file transfer software, for example, and move data from CloudShell to external internet servers.

Remediation

From Console:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the left pane, select Policies.
  3. Search for and select AWSCloudShellFullAccess.
  4. On the Entities attached tab, for each item, check the box and select Detach.

Default Value:

By default, the AWS managed policy AWSCloudShellFullAccess exists but is not attached to any users, groups, or roles. It must be explicitly assigned to grant permissions.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_2_21

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_2_21 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
    else 'ok'
  end status,
  case
    when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then  'User ' || title || ' has access to AWSCloudShellFullAccess.'
    else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.'
  end as reason
  , account_id
from
  aws_iam_user
union
select
  arn as resource,
  case
    when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
    else 'ok'
  end status,
  case
    when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then  'Role ' || title || ' has access to AWSCloudShellFullAccess.'
    else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.'
  end as reason
  , account_id
from
  aws_iam_role
union
select
  arn as resource,
  case
    when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm'
    else 'ok'
  end status,
  case
    when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then  'Group ' || title || ' has access to AWSCloudShellFullAccess.'
    else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.'
  end as reason
  , account_id
from
  aws_iam_group;

Tags

category = Compliance
cis = true
cis_item_id = 2.21
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v6.0.0
plugin = aws
service = AWS/IAM