No IAM users, groups, or roles have the AWSCloudShellFullAccess policy attached
iam_policy_cloudshell_admin_not_attached
IAM identities with the AWS managed policy AWSCloudShellFullAccess attached are identified across users, groups, and roles.
This indicates principals are granted cloudshell:* on *, enabling full CloudShell features, including environment startup and file transfer.
Risk
Granting cloudshell:* enables an interactive shell with Internet egress and file upload/download, degrading confidentiality and integrity.
Compromised principals can exfiltrate data, stage tooling with sudo, persist artifacts in CloudShell, and operate from AWS IP space to bypass endpoint controls.
prowler aws --checks iam_policy_cloudshell_admin_not_attached
Recommendation
Detach AWSCloudShellFullAccess from identities.
Apply least privilege: permit CloudShell only when necessary via narrowly scoped permissions, restricted roles, short-lived sessions, and approvals. Prefer controlled alternatives (local CLI, bastion, or Session Manager). Enforce separation of duties and monitor usage.
Remediation
- In the AWS console, go to IAM > Policies
- Search for AWSCloudShellFullAccess and open it
- Select the Entities attached tab
- Select all Users, Groups, and Roles listed
- Click Detach and confirm
Source Code
Resource Type
AwsIamPolicy
References
- https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-27
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/IAM/unapproved-iam-policy-in-use.html
- https://docs.aws.amazon.com/config/latest/developerguide/iam-policy-blacklisted-check.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html
- https://icompaas.freshdesk.com/support/solutions/articles/62000233099-1-22-restrict-access-to-awscloudshellfullaccess-manual-