IAM policy only allowed from Cloudshell?

Is there a way to create an IAM policy which will only grant permissions when used FROM Cloudshell?

I have found that the string "exec-env/CloudShell" is in the userAgent, but could this be spoofed?

Example: a user could run 'aws rds' commands on Cloudshell, but not 'on prem' even with API keys.

トピック

開発者用ツールセキュリティ、アイデンティティ、コンプライアンス

タグ

AWS CloudShell IAM ポリシー

言語

English

ld57

質問済み 9ヶ月前313ビュー

2回答

新しい順
投票が多い順
コメントが多い順

Recommended not to use 'UserAgent'.

This key should be used carefully. Since the aws:UserAgent value is provided by the caller in an HTTP header, 
unauthorized parties can use modified or custom browsers to provide any aws:UserAgent value that they 
choose. As a result, aws:UserAgent should not be used to prevent unauthorized parties from making 
direct AWS requests. You can use it to allow only specific client applications, and only after 
testing your policy.

I don't know of a way to restrict API calls to CloudShell environments.

エキスパート

kentrad

回答済み 9ヶ月前

ld57
9ヶ月前
Ok thanks so userAgent can be spoofed easily.

You can find examples of IAM policies for CloudShell in this article Here is some basic example:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "CloudShellUser",
        "Effect": "Allow",
        "Action": [
            "cloudshell:*"
        ],
        "Resource": "*"
    }]
}

Lukasz Slachciak

回答済み 9ヶ月前

ld57
9ヶ月前
Sorry that's not my question. I know how to allow Cloudshell, the question is how to make IAM policies that only allow API usage FROM Cloudshell. For example, allow RDS API only from Cloudshell, not "on prem" shell and scripts.

IAM policy only allowed from Cloudshell?

関連するコンテンツ