AWS Security ChangesHomeSearch

AWS cloudshell documentation change

Service: cloudshell · 2025-10-19 · Documentation medium

File: cloudshell/latest/userguide/sec-auth-with-identities.md

Summary

Added JSON section markers and updated IAM policy examples for VPC/Subnet/Security Group access controls. Corrected condition key references (e.g., cloudshell:VpcIds to cloudshell:SubnetIds).

Security assessment

Changes improve documentation of IAM policy syntax for network resource restrictions in CloudShell. While security-related documentation is enhanced, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/cloudshell/latest/userguide/sec-auth-with-identities.md b/cloudshell/latest/userguide/sec-auth-with-identities.md
index c8b7c5cc7..bc16c51dd 100644
--- a//cloudshell/latest/userguide/sec-auth-with-identities.md
+++ b//cloudshell/latest/userguide/sec-auth-with-identities.md
@@ -84,0 +85,6 @@ This following policy enforces a complete denial of access to CloudShell and its
+JSON
+    
+
+****
+    
+    
@@ -99,0 +107,6 @@ This following policy allows IAM users to access CloudShell but blocks them from
+JSON
+    
+
+****
+    
+    
@@ -124,0 +139,6 @@ The following policy allows IAM users to access CloudShell. However, the policy
+JSON
+    
+
+****
+    
+    
@@ -148,0 +170,6 @@ The following policy allows IAM users to create AWS CloudShell environments.
+JSON
+    
+
+****
+    
+    
@@ -207,0 +236,6 @@ The following example displays how to enable full permissions, including access
+JSON
+    
+
+****
+    
+    
@@ -350,0 +386 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
+To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example denies users access to `subnet-1` and `subnet-2`:
@@ -352,21 +388 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "EnforceOutOfVpc",
-          "Action": [
-            "cloudshell:CreateEnvironment"
-          ],
-          "Effect": "Deny",
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "cloudshell:VpcIds": [
-                "vpc-1",
-                "vpc-2"
-              ]
-            }
-          }
-        }
-      ]
-    }
+To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example denies users access to `sg-1` and `sg-2`:
@@ -374 +390 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example denies users access to `subnet-1` and `subnet-2`:
+JSON
@@ -377,21 +393 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "EnforceOutOfSubnet",
-          "Action": [
-            "cloudshell:CreateEnvironment"
-          ],
-          "Effect": "Deny",
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "cloudshell:SubnetIds": [
-                "subnet-1",
-                "subnet-2"
-              ]
-            }
-          }
-        }
-      ]
-    }
+****
@@ -399 +394,0 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of
-To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example denies users access to `sg-1` and `sg-2`:
@@ -427,0 +424 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
+To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example allows users access to `subnet-1` and `subnet-2`:
@@ -429,21 +426,4 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "EnforceStayInSpecificVpc",
-          "Action": [
-            "cloudshell:CreateEnvironment"
-          ],
-          "Effect": "Allow",
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "cloudshell:VpcIds": [
-                "vpc-1",
-                "vpc-2"
-              ]
-            }
-          }
-        }
-      ]
-    }
+JSON
+    
+
+****
@@ -451 +430,0 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
-To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example allows users access to `subnet-1` and `subnet-2`:
@@ -477,0 +458,6 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of
+JSON
+    
+
+****
+    
+