Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · IAM

IAM.27: Identities should not have AWSCloudShellFullAccess attached

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub IAM.27 check?

IAM.27 fails when any IAM user, group, or role has the AWS-managed AWSCloudShellFullAccess policy attached. The control flags the blanket grant, not CloudShell usage itself.

Why does IAM.27 matter?

AWSCloudShellFullAccess hands an identity a privileged Linux shell inside your account with sudo, persistent storage, outbound internet, and file upload/download. That combination turns whatever the identity can read into a one-step data-exfiltration path — no instance to launch and no obvious trail. Detaching the blanket policy removes the easiest exfiltration route while preserving scoped CloudShell access for those who need it.

How do I fix IAM.27?

  1. Find every user, group, and role carrying AWSCloudShellFullAccess.
  2. Detach it from each identity type with the matching detach call (user, group, or role).
  3. Replace it with a scoped policy that allows CloudShell but blocks the file-transfer actions for identities that genuinely need the shell.
  4. Add an SCP denying the blanket policy so it can't be reattached.

Remediation script · bash

# Generate a least-privilege policy from real usage, then promote it to default.
aws accessanalyzer start-policy-generation \
  --policy-generation-details principalArn=arn:aws:iam::123456789012:role/DataPipelineWorker
aws iam create-policy-version \
  --policy-arn arn:aws:iam::123456789012:policy/DataPipelineWorkerPolicy \
  --policy-document file://generated-policy.json --set-as-default

# Move a user's direct policy to a group: attach + add BEFORE detach, so there is no gap.
aws iam attach-group-policy --group-name developers \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
aws iam add-user-to-group --group-name developers --user-name nina
aws iam detach-user-policy --user-name nina \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# Detach a broad CloudShell grant, then scope down anyone with a genuine need.
aws iam detach-group-policy --group-name developers \
  --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce IAM least privilege.

Full lesson Enforce IAM least privilege Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for IAM controls ↗ Check your own account for IAM.27 →
Part of the learning path Lock down access

More IAM controls

  • IAM.1 A policy grants full "*" administrative privileges
  • IAM.2 Policies attached directly to users do not scale or audit cleanly
  • IAM.3 Long-lived access keys have not been rotated
  • IAM.4 The root user still has long-lived access keys
  • IAM.5 Console users without MFA are one phish from compromise
  • IAM.6 The root user is not protected by hardware MFA
  • IAM.7 The IAM password policy is too weak
  • IAM.8 Unused IAM keys and passwords are waiting to be leaked
  • IAM.9 The root user can sign in without MFA
  • IAM.10 IAM user password policies should be strong (PCI DSS)
  • IAM.19 MFA should be enabled for all IAM users
  • IAM.21 Wildcard permissions grant far more access than intended