# Using AWS CloudShell in Amazon VPC
AWS CloudShell virtual private cloud (VPC) enables you to create a CloudShell environment in your VPC. For each VPC environment, you can assign a VPC, add a subnet, and associate up to five security groups. AWS CloudShell inherits the network configuration of the VPC and enables you to use AWS CloudShell securely within the same subnet as other resources in the VPC and connect to them.
With Amazon VPC, you can launch AWS resources in a logically isolated virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. For more information about VPC, see [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html).
## Operating constraints
AWS CloudShell VPC environments have the following constraints:
+ You can create a maximum of two VPC environments per IAM principal.
+ You can assign a maximum of five security groups for a VPC environment.
+ You cannot use the CloudShell upload and download options in the Actions menu for VPC environments.
**Note**
It is possible to upload or download files from VPC environments that have access to the internet ingress/egress through other CLI tools.
+ VPC environments do not support persistent storage. Storage is ephemeral. Data and home directory are deleted when an active environment session ends.
+ Your AWS CloudShell environment can only connect to the internet if it is in a private VPC subnet.
**Note**
Public IP addresses are not allocated to CloudShell VPC environments by default. VPC environments created in public subnets with routing tables configured to route all traffic to Internet Gateway will not have access to public internet, but private subnets configured with Network Address Translation (NAT) have access to public internet. VPC environments created in such private subnets will have access to public internet.
+ To provide a managed CloudShell environment for your account, AWS might provision network access to the following services for the underlying compute host:
+ Amazon S3
+ VPC endpoints
+ com.amazonaws..ssmmessages
+ com.amazonaws..logs
+ com.amazonaws..kms
+ com.amazonaws..execute-api
+ com.amazonaws..ecs-telemetry
+ com.amazonaws..ecs-agent
+ com.amazonaws..ecs
+ com.amazonaws..ecr.dkr
+ com.amazonaws..ecr.api
+ com.amazonaws..codecatalyst.packages
+ com.amazonaws..codecatalyst.git
+ aws.api.global.codecatalyst
You cannot restrict access to these endpoints by modifying your VPC configuration.
CloudShell VPC is available in all AWS Regions and GovCloud Regions. For a list of Regions in which CloudShell VPC is available, see [Supported AWS Regions for AWS CloudShell](supported-aws-regions.md).
# Creating a CloudShell VPC environment
This topic walks you through the steps to create a VPC environment in CloudShell.
**Prerequisites**
Your administrator must provide the necessary IAM permissions for you to be able to create VPC environments. For more information about enabling permissions to create CloudShell VPC environments, see [Required IAM permissions for creating and using CloudShell VPC environments](aws-cloudshell-vpc-permissions-1.md).
**To create a CloudShell VPC environment**
1. On the CloudShell console page, choose the **\$1** icon and then choose **Create VPC environment** from the dropdown menu.
1. On the **Create a VPC environment** page, enter a name for your VPC environment in the **Name** box.
1. From the **Virtual private cloud (VPC)** dropdown list, choose a VPC.
1. From the **Subnet** dropdown list, choose a subnet.
1. From the **Security** group dropdown list, choose one or more security groups that you want to assign to your VPC environment.
**Note**
You can choose a maximum of five security groups.
1. Choose **Create** to create your VPC environment.
1. (Optional) Choose **Actions**, and then choose **View details** to review the details of the newly created VPC environment. The IP address of your VPC environment is displayed in the command line prompt.
For information about using VPC environments, see [Getting started with AWS CloudShell](getting-started.md).
# Required IAM permissions for creating and using CloudShell VPC environments
To create and use CloudShell VPC environments, the IAM administrator must enable access to VPC specific Amazon EC2 permissions. This section lists the Amazon EC2 permissions needed to create and use VPC environments.
To create VPC environments, the IAM policy assigned to your role must include the following Amazon EC2 permissions:
+ `ec2:DescribeVpcs`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeDhcpOptions`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:CreateTags`
+ `ec2:CreateNetworkInterface`
+ `ec2:CreateNetworkInterfacePermission`
We recommend to include:
+ **ec2:DeleteNetworkInterface**
**Note**
This permission is not mandatory, but this is required for CloudShell to clean up the ENI resource (ENIs created for CloudShell VPC environments are tagged with **ManagedByCloudShell** key) created by it. If this permission not in enabled, you must manually clean up the ENI resource after every CloudShell VPC environment use.
## IAM policy granting full CloudShell access including access to VPC
The following example displays how to enable full permissions, including access to VPC, to CloudShell:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCloudShellOperations",
"Effect": "Allow",
"Action": [
"cloudshell:*"
],
"Resource": "*"
},
{
"Sid": "AllowDescribeVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Sid": "AllowInspectVPCConfigurationViaCloudShell",
"Effect": "Allow",
"Action": [
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "cloudshell.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateTagWithCloudShellKeyViaCloudShell",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "ManagedByCloudShell",
"aws:CalledVia": "cloudshell.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateNetworkInterfaceWithSubnetsAndSGViaCloudShell",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "cloudshell.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateNetworkInterfaceWithCloudShellTagViaCloudShell",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "ManagedByCloudShell",
"aws:CalledVia": "cloudshell.amazonaws.com"
}
}
},
{
"Sid": "AllowCreateNetworkInterfacePermissionWithCloudShellTagViaCloudShell",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ManagedByCloudShell": ""
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": "cloudshell.amazonaws.com"
}
}
},
{
"Sid": "AllowDeleteNetworkInterfaceWithCloudShellTagViaCloudShell",
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ManagedByCloudShell": ""
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": "cloudshell.amazonaws.com"
}
}
}
]
}
```
------
## Using IAM condition keys for VPC environments
You can use CloudShell-specific condition keys for VPC settings to provide additional permission controls for your VPC environments. You can also specify the subnets and security groups that the VPC environment can and can't use.
CloudShell supports the following condition keys in IAM policies:
+ `CloudShell:VpcIds` – Allow or deny one or more VPCs
+ `CloudShell:SubnetIds` – Allow or deny one or more subnets
+ `CloudShell:SecurityGroupIds` – Allow or deny one or more security groups
**Note**
If the permissions for users with access to public CloudShell environments are modified to add restriction to the `cloudshell:createEnvironment` action, they can still access their existing public environment. However, if you want to modify an IAM policy with this restriction and disable their access to the existing public environment, you must first update the IAM policy with the restriction, and then ensure that every CloudShell user in your account manually deletes the existing public environment using the CloudShell web user interface (**Actions** → **Delete CloudShell environment**).
## Example policies with condition keys for VPC settings
The following examples demonstrate how to use condition keys for VPC settings. After you create a policy statement with the desired restrictions, append the policy statement for the target user or role.
### Ensure that users create only VPC environments and deny creation of public environments
To ensure that users can create only VPC environments, use the deny permission as shown in the following example:
```
{
"Statement": [
{
"Sid": "DenyCloudShellNonVpcEnvironments",
"Action": [
"cloudshell:CreateEnvironment"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Null": {
"cloudshell:VpcIds": "true"
}
}
}
]
}
```
### Deny users access to specific VPCs, subnets, or security groups
To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:VpcIds` condition. The following example denies users access to `vpc-1` and `vpc-2`:
To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example denies users access to `subnet-1` and `subnet-2`:
To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example denies users access to `sg-1` and `sg-2`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnforceOutOfSecurityGroups",
"Action": [
"cloudshell:CreateEnvironment"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"cloudshell:SecurityGroupIds": [
"sg-1",
"sg-2"
]
}
}
}
]
}
```
------
### Allow users to create environments with specific VPC configurations
To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:VpcIds` condition. The following example allows users access to `vpc-1` and `vpc-2`:
To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example allows users access to `subnet-1` and `subnet-2`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnforceStayInSpecificSubnets",
"Action": [
"cloudshell:CreateEnvironment"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"cloudshell:SubnetIds": [
"subnet-1",
"subnet-2"
]
}
}
}
]
}
```
------
To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example allows users access to `sg-1` and `sg-2`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnforceStayInSpecificSecurityGroup",
"Action": [
"cloudshell:CreateEnvironment"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"cloudshell:SecurityGroupIds": [
"sg-1",
"sg-2"
]
}
}
}
]
}
```
------