2 Answers
- Newest
- Most votes
- Most comments
1
Recommended not to use 'UserAgent'.
This key should be used carefully. Since the aws:UserAgent value is provided by the caller in an HTTP header,
unauthorized parties can use modified or custom browsers to provide any aws:UserAgent value that they
choose. As a result, aws:UserAgent should not be used to prevent unauthorized parties from making
direct AWS requests. You can use it to allow only specific client applications, and only after
testing your policy.
I don't know of a way to restrict API calls to CloudShell environments.
0
You can find examples of IAM policies for CloudShell in this article Here is some basic example:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "CloudShellUser",
"Effect": "Allow",
"Action": [
"cloudshell:*"
],
"Resource": "*"
}]
}
answered 8 months ago
Sorry that's not my question. I know how to allow Cloudshell, the question is how to make IAM policies that only allow API usage FROM Cloudshell. For example, allow RDS API only from Cloudshell, not "on prem" shell and scripts.
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Ok thanks so userAgent can be spoofed easily.