At re:Invent 2020, AWS announced many new services and service enhancements. One service that caught our eye was CloudShell. This feature added one of few services missing in AWS, direct access to a CLI based shell (this feature has been available in Azure and GCP for over a year). AWS CloudShell is a browser-based, pre-authenticated shell that you can launch from the AWS Management Console.
What is AWS CloudShell?
So, those who use Azure or GCP would already be familiar with a “Cloud Shell” type service. CloudShell is a browser-based shell running on an Amazon Linux 2 environment. CloudShell comes pre-installed with AWS CLI version 2. It uses your AWS console login credentials. This means that you no longer need to manage Access Key and Secret Key to run AWS CLI!
To start CloudShell, you login to AWS Console, go to a supported region and just click on CloudShell icon on the banner (the location and the shape of the icon looks familiar somehow?).
CloudShell is currently supported in the N. Virginia, Ohio, Oregon, Tokyo and Ireland regions. The service is free up to 10 concurrent shells in each region.
CloudShell has the following key features.
- You can have a maximum 1GB of persistent storage space in each region in your home directory ($HOME). Anything outside of the home directory is refreshed every time CloudShell is restarted. Note that the home directory persistent storage is deleted if you don’t use CloudShell in the region for 120 days;
- Admin level access to install additional software;
- Inactive session timeout after 20 minutes for security (along with safe paste functionality);
- You can customise font size and background colour to suit;
- Outbound internet access is provided;
- It comes pre-installed with AWS CLI and other tools;
- You can open multiple tabs and upload/download files through the console.
To access the service, your IAM user or role will need the following permissions.
The AWS managed policy AWSCloudShellFullAccess can be used to provide this access.
What’s in AWS CloudShell
Out of the box, CloudShell comes with AWS command line interfaces such as AWS CLI, ECS, EB and SAM. A variety of shells and development tools are provided including Bash, Python, Node.js, Powershell, Pip, NPM, Git and more utilities. Don’t forget that you can even use sudo to install any additional packages.
AWS CloudShell is a super handy new service. We really like the quick access to a shell without having to worry about managing credentials!
However, there are always limitations with new services and CloudShell is no exception. We would like to see the following capabilities added to CloudShell.
- CloudTrail records CreateSession but no user activity is visible. From a security perspective, we would like visibility into user activities with outputs to CloudWatch (similar to existing SSM Session Manager capability);
- Route traffic via a VPC so the traffic can go out via proxy/firewall;
- Support for EFS for larger persistent storage;
- Support for a custom image (with additional pre-installed software).
If you want to know more about AWS re:Invent and the new announcements, please get in contact with us at RedBear.