Policy: AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation

By setting this policy, you attest that you have manually verified that it complies with the relevant section of the CIS Benchmark.

From Console: 1. Open the IAM console at https://console.aws.amazon.com/iam/ 2. In the left pane, select Policies 3. Search for and select AWSCloudShellFullAccess 4. On the Entities attached tab, ensure that there are no entities using this policy

From Command Line: 1. List IAM policies, filter for the 'AWSCloudShellFullAccess' managed policy, and note the "Arn" element value: aws iam list-policies --query "Policies[?PolicyName == 'AWSCloudShellFullAccess']" 2. Check if the 'AWSCloudShellFullAccess' policy is attached to any role: aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess 3. In Output, Ensure PolicyRoles returns empty. 'Example: Example: PolicyRoles: []'

If it does not return empty refer to the remediation below.

Note: Keep in mind that other policies may grant access.

Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in report level Maximum Attestation Duration policy. Set to a blank value to clear the attestation.