Introduction to AWS CloudShell

Introduction to AWS CloudShell

AWS CloudShell is a new service aimed at facilitating interactions with AWS from the command line without having to install & configure a full set of tools

AWS
Alexis Kinsella

Alexis Kinsella

author

During the re:Invent 2020 Developer Keynote, presented by Dr. Werner Vogels, was introduced a new handy service named AWS CloudShell.

AWS CloudShell is aimed at providing an AWS-enabled shell prompt in the browser that is simple and secure with as little friction as possible.

AWS CloudShell is generally available in us-east-1 (N. Virginia), us-east-2 (Ohio), us-west-2 (Oregon), ap-northeast-1 (Tokyo), and eu-west-1 (Ireland) at launch.

AWS CloudShell in a nutshell

By announcing this new service, AWS fills a gap that has been present for years, and where competition has been providing solutions for a long time, starting with GCP Cloud Shell.

You can see on YouTube an introduction of the service during Werner Vogels Keynote:

AWS CloudShell introduction by Werner Vogels

Accessing AWS CloudShell

To access the AWS CloudShell, you just have to connect to the AWS Console and click to the icon available in top-right navigation menu.

AWS CloudShell button

By clicking on the icon, a new page will open to the AWS CloudShell home page and a new AWS CloudShell instance will start:

AWS CloudShell

The command-line provided has the AWS Command Line Interface (CLI) (v2) installed and configured so that you can run AWS commands without requiring any additional setup or configuration.

The environment is providing pre-installed Python & Node runtimes and tools such as jq.

AWS Cloud Shell is based on Amazon Linux 2.

Shells

3 shells are pre-installed : Bash which is the default shell, Z Shell also known as zsh, that provides customization with themes and plugins, and PowerShell.

If you are a Microsoft user, PowerShell availability, built on top of Microsoft's .NET Command Language Runtime, will make you happy, and will let you take advantage of its deep integration with .NET.

Shell in use can be identified by the command prompt: $ corresponds to Bash, PS> corresponds to PowerShell and %corresponds to zsh.

The default user is cloudshell-user which is not the default user that you will find in Amazon Linux EC2 instances (ec2-user). Using some scripts designed for EC2 may result in some issue if they are not adapted to run on AWS CloudShell.

Additional AWS command line interfaces (CLI)

In addition of the default AWS CLI, additional CLIs are provided pre-installed, which is handy, as it takes times whenever you want to use one of them, as you have to find related instructions to make the installation. Provided CLIs are:

  • AWS Elastic Beanstalk CLI (eb),
  • Amazon Elastic Container Service (Amazon ECS) CLI (ecs-cli)
  • AWS SAM CLI (sam).

It is always time consuming to setup a shell when you want to interact with your account resources. Moreover, as you don't do this kind of installation every other day, it means that you have to remember how to setup your tooling.

With AWS CloudShell, you always have at hand a working environment that does not require to spend time at installing tooling on a system that you don't own whether you are on a Linux, Windows or Mac machine.

Also, you don't have that much to worry about the cleanup of the machine after its usage as AWS CloudShell is available from the browser.

A simple history cleanup of the browser or accessing the service via private browsing should be enough (given that the computer is not compromised).

Development tools and shell utilities

Many tools and shell utilities are also pre-installed: git, iputils, jq, tmux, vim, wget or CodeCommit utility for Git (git-remote-codecommit) which provides a simple method for pushing and pulling code from CodeCommit repositories by extending  Git.

By default, AWS CloudShell users have sudo privileges. Therefore, it is possible to use the sudo command to install additional software. As AWS CloudShell is based on Amazon Linux 2, you will have to use yum to install software.

However, additional software has to be installed on each session as setups are recycled between sessions.

It is possible to customize the initialization of AWS CloudShell sessions by customizing the .bashrc. In case of access loss to the session due to any error, it is still possible to delete the home directory (Action is available from Action Menu).

In case of advanced customization needs, it can be preferable to rely on code versioning for example with Git.

Here is a full list of programs available in the /usr/bin directory:

/usr/bin programs

amazon-linux-extras command is available as part of the standard installation. It means that many additional software can be installed with ease.

For example, to install java-openjdk11, you just have to execute the following commands:

sudo amazon-linux-extras enable java-openjdk11
sudo yum install java-11-openjdk

Install java-openjdk11

After installation, executing java -version will return the following result:

openjdk version "11.0.7" 2020-04-14 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.7+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.7+10-LTS, mixed mode, sharing)

Figure: `java -version` information

Deleting home directory

Deleting data stored in the home directory is permanent. It cannot be reversed, but it can be useful either in case of issue, or to simply remove all data.

Limits of persistent storage

AWS CloudShell allows to store 1 GB of data in each region at no cost. Only data stored in the Home directory ($HOME) will be persisted between 2 sessions. Data stored in other locations is automatically wiped at the end of a session.

Data is retained for a maximum of 120 days after the end of the last session for a given region.

AWS CloudShell has been implemented using cryptographic keys provided by AWS KMS. The service generates and manages cryptographic keys used for encrypting data.

Other shell limits

It is possible to run a maximum of 10 shells at the same time for each region at no charge.

After 20 to 30 minutes of inactivity the session will end.

Processes in background are not considered as activities. Only keyboard & mouse interactions will be considered as activities and extend sessions. However, there is a hard limit of 12 hours of activity. After this period of time, the session will automatically end.

When the session times out, it is possible to reconnect simply by clicking on the reconnect button.

Reconnect popup

Instance metadata

It is worth noting that instance metadata are not available from AWS CloudShell as opposed to EC2 instances. Trying to call the magic URL results in the following error message: "curl: (7) Couldn't connect to server".

Instance metadata

Network Access & Data Transfer

AWS CloudShell session users can access the public internet, however it is not possible to reach inbound ports from outside. No public IP address is available.

As download & upload can be slow, the preferred way to handle large files will be to use S3 storage from the command line interface.

Download & Upload features are accessible from the Action menu:

Action Menu

Shell Layouts

It is possible to split horizontally & vertically the main window as well as to create tabs to organize efficiently the workspace.

Shell layout

In addition, as preference pane will give access to additional customization parameters such as font size or theme used:

AWS CloudShell Preferences

Enable Safe Paste option available in the preference pane is a security feature that allows you to require yourself to verify that multi-line text that you are about to paste does not contain malicious scripts.

Compute environment resources

Each AWS CloudShell is assigned CPU & memory resources. More specifically, 1 vCPU & 2 GiB of RAM are provided for free.

It is worth nothing that AWS CloudShell service does not provide support for Docker.

Trying to install docker with amazon-linux-extra will fail. Executing docker ps command returns the following error:

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Figure: `docker ps` command error

It should still be possible to configure the client to connect to a remote docker daemon.

Security & compliance

By default, AWS CloudShell installs automatically security patches for the system packages. It means that you don't have to worry about it.

Regarding at compliance, AWS CloudShell is not in scope of any specific compliance programs.

If you are interested at monitoring activity of the service, it is possible to do it through Cloud Trail integration that can report a number of events either related to the activity of the user in the console or to API interactions.

It is also possible to leverage EventBridge rules to react to AWS CloudShell events.

Permissions

When it comes to refine permissions given to a specific user, IAM policies allows to customize at the level of expectation.

By default, The AWSCloudShellFullAccess grants permission to use AWS CloudShell with full access to all features.

However, it is also possible to restrict as usual permissions by customizing permissions through custom defined policies.

Permission prefix for AWS CloudShell service will be: cloudshell.

3 permissions specific to the service are available:

  • cloudshell:CreateSession , which allows to start a shell session
  • cloudshell:GetFileDownloadUrls, which allows to download files from the shell environment to a local machine
  • cloudshell:GetFileUploadUrls, which allows to upload files from a local machine to the shell environment

It is possible, for example, to restrict access to AWS CloudShell by blocking  file uploads & downloads in the shell environment by defining a policy as following:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "CloudShellUser",
        "Effect": "Allow",
        "Action": [
            "cloudshell:*"
        ],
        "Resource": "*"
    }, {
        "Sid": "DenyUploadDownload",
        "Effect": "Deny",
        "Action": [
            "cloudshell:GetFileDownloadUrls",
            "cloudshell:GetFileUploadUrls"
        ],
        "Resource": "*"
    }]
}

Figure: Custom AWS CloudShell policy

The greatness of AWS CloudShell resides in inheritance of permissions from the user connected to AWS Console. AWS CloudShell assumes the identity of the connected user.

Pricing

Users are not charged when using AWS CloudShell. It means that you don't have to worry about pricing. Also, there is no minimum fees or required upfront commitments. Only data transfer is billed at standard rates.

AWS CloudShell plugin for VSCode

An unofficial plugin for VSCode has been built to integrate VSCode with AWS CloudShell. It will allow to open multiple AWS CloudShell terminals within VSCode on demand.

AWS CloudShell plugin for VSCode

More information available on the GitHub page of the plugin: https://github.com/iann0036/vscode-aws-cloudshell.

To get it work, AWS CLI must be installed as well as the Session Manager plugin for VSCode.

It is also required to configure properly an AWS Profile and configure VSCode plugin with it.

Conclusion

Sure, AWS CloudShell is not a technological revolution, but it fills a gap that remained open for a long time. The service still lacks some features compared to equivalent solutions available for example in GCP, but it is a first step in the right direction.

Useful link