IAM policy only allowed from Cloudshell?

Question

Is there a way to create an IAM policy which will only grant permissions when used FROM Cloudshell?

I have found that the string "exec-env/CloudShell" is in the userAgent, but could this be spoofed?

Example: a user could run 'aws rds' commands on Cloudshell, but not 'on prem' even with API keys.

Answer

[Recommended not to use](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-useragent) 'UserAgent'.

```
This key should be used carefully. Since the aws:UserAgent value is provided by the caller in an HTTP header, 
unauthorized parties can use modified or custom browsers to provide any aws:UserAgent value that they 
choose. As a result, aws:UserAgent should not be used to prevent unauthorized parties from making 
direct AWS requests. You can use it to allow only specific client applications, and only after 
testing your policy.
```
I don't know of a way to restrict API calls to CloudShell environments.

Answer

You can find examples of IAM policies for CloudShell in [this article](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html)
Here is some basic example:

```
{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "CloudShellUser",
        "Effect": "Allow",
        "Action": [
            "cloudshell:*"
        ],
        "Resource": "*"
    }]
}
```

IAM policy only allowed from Cloudshell?

Relevant content