AWS Security ChangesHomeSearch

AWS cloudshell documentation change

Service: cloudshell · 2025-10-19 · Documentation low

File: cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md

Summary

Restructured policy examples and added JSON formatting placeholders for VPC/subnet/SG access control documentation

Security assessment

Changes focus on improving presentation of security-related IAM policies for VPC access control, but don't address specific vulnerabilities. The modifications enhance documentation about existing security features (network resource restrictions) without evidence of patching vulnerabilities.

Diff

diff --git a/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md b/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md
index 3fd9d78ff..c9bf87c88 100644
--- a//cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md
+++ b//cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md
@@ -49,0 +50,6 @@ The following example displays how to enable full permissions, including access
+JSON
+    
+
+****
+    
+    
@@ -217,0 +225 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
+To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example denies users access to `subnet-1` and `subnet-2`:
@@ -219,21 +227 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "EnforceOutOfVpc",
-          "Action": [
-            "cloudshell:CreateEnvironment"
-          ],
-          "Effect": "Deny",
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "cloudshell:VpcIds": [
-                "vpc-1",
-                "vpc-2"
-              ]
-            }
-          }
-        }
-      ]
-    }
+To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example denies users access to `sg-1` and `sg-2`:
@@ -241 +229 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example denies users access to `subnet-1` and `subnet-2`:
+JSON
@@ -244,21 +232 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "EnforceOutOfSubnet",
-          "Action": [
-            "cloudshell:CreateEnvironment"
-          ],
-          "Effect": "Deny",
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "cloudshell:SubnetIds": [
-                "subnet-1",
-                "subnet-2"
-              ]
-            }
-          }
-        }
-      ]
-    }
+****
@@ -266 +233,0 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example denies users access to `sg-1` and `sg-2`:
@@ -294,0 +263 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
+To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example allows users access to `subnet-1` and `subnet-2`:
@@ -296,21 +265,4 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "EnforceStayInSpecificVpc",
-          "Action": [
-            "cloudshell:CreateEnvironment"
-          ],
-          "Effect": "Allow",
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "cloudshell:VpcIds": [
-                "vpc-1",
-                "vpc-2"
-              ]
-            }
-          }
-        }
-      ]
-    }
+JSON
+    
+
+****
@@ -318 +269,0 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
-To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example allows users access to `subnet-1` and `subnet-2`:
@@ -344,0 +297,6 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
+JSON
+    
+
+****
+    
+