AWS CloudShell

AWS CloudShell was just announced this month (December 2020). Let’s go over what is AWS CloudShell, what are its use cases, when you shouldn’t use it, and much more.

What is AWS CloudShell?

We know this feature is not new to the cloud. We know Azure and Google Cloud engineers are familiar with this. As a AWS fanatic, this is great new feature!

  • AWS CloudShell’s permissions are managed by IAM
  • Inactive and long-running sessions are automatically stopped and recycled
  • Create start-up scripts
  • Available on the latest versions of Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari
  • Sudo privileges to install and modify your session
  • Since it’s Amazon Linux 2, you can use yum to manage its packages

AWS CloudShell IAM permissions

By default you may not have the appropriate IAM permissions to use the CloudShell. You may see various unauthorized error messages if you attempt to launch it. Example error message:”Unable to start the environment…is not authorized to perform: cloudshell:{action} on resource…” Going with the principle of least privilege, here’s what the minimum IAM permissions required to get started!

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "AllowUsersCloudShell",
        "Effect": "Allow",
        "Action": [
            "cloudshell:CreateSession",
            "cloudshell:CreateEnvironment",
            "cloudshell:GetEnvironmentStatus",
            "cloudshell:PutCredentials"
        ],
        "Resource": "*"
    }]
}

Additionally you can allow your engineers to upload and download files from/to the user’s local machine to the AWS CloudShell! Just add these IAM actions.

cloudshell:GetFileDownloadUrls
cloudshell:GetFileUploadUrls

AWS CloudShell Cost

Zero! Nada! The shell itself and its storage does not incur any charges but of course any resources you create from it may.

Launch AWS CloudShell

Currently, at the time of this writing (December 2020) it’s available in these regions.

  • US East (Ohio)
  • US East (N. Virginia)
  • US West (Oregon)
  • Asia Pacific (Tokyo)
  • Europe (Ireland)

Once logged into the AWS console, there’s a new icon on the left of the Notifications icon (bell). Click the icon with the greater than and underscore icon .

AWS CloudShell
AWS CloudShell

It’s loads your IAM permissions for you automatically! Next let’s run some AWS CLI commands… and notice we don’t have to provide the region or profile! My user account is allowed to list IAM users so this works right away.

$ aws iam list-users

# result
{
    "Users": [
        {
            "Path": "/",
            "UserName": "waleed",
            "UserId": "ABCAEFEFAEAFEAFE1",
            "Arn": "arn:aws:iam::1234567890:user/waleed",
            "CreateDate": "2020-12-16T02:05:25+00:00",
            "PasswordLastUsed": "2020-12-16T02:08:50+00:00"
        }
    ]
}

Switch shell

By default it’s the bash shell represented by the dollar ($) sign. Switch to PowerShell by typing pwsh. PowerShell is represented by the letters PS. Finally if you want to use Z shell enter zsh at any time. Z shell is represented by the percentage (%) symbol. If you want to switch back to Bash, enter bash.

Actions and options

Pretty simple and self-explanatory.

What’s it good for?

  • Ad-hoc actions to query information
  • Check permissions and such incase if your AWS CLI profile is broken on your workstation or elsewhere
  • Learning environment

What’s it not good for?

  • Long term development
  • CI/CD
  • Production workloads
  • It’s your responsibility to manage all user installed software/packages!
  • You will not be able to access your private EC2s, it’s a not VPN solution.
  • Users can access the internet, this may not be allowed in your organization

That’s all for now, read more about AWS CloudShell. Subscribe for more tutorial like this!

TOP 13 CLOUD ENGINEER POSITION INTERVIEW QUESTIONS AND ANSWERSBe prepared for you interview!