I'm in a bit of a bind here—my team can only access our secure VPC when our laptops are completely isolated from the internet due to compliance rules. Right now, we're managing this with a VPN that blocks all internet traffic while we connect to our jump host within the bastion subnet. I'm curious if there's a way to do something similar with AWS CloudShell. Specifically, can we set it up so that CloudShell can only be accessed if our laptops are not connected to the internet? CloudShell seems like an awesome tool, but if my infosec team says we can't use it without this isolation, our workflow is going to be majorly impacted. Any thoughts?
2 Answers
It really depends on your reasons for needing isolation. Are you trying to protect against data egress? You might be missing that even if you block internet access, there's still a risk of local copying and leaks afterwards. CloudShell does have VPC controls, but those may not fully ensure the level of isolation you're looking for. You might want to consider AWS Workspaces instead; it’s a more controlled environment.
You should check out AWS Console Private Access. It's outlined in their docs and could provide some of the security controls you need. Just a heads up, though—it looks like it mainly restricts access to accounts over a corporate network, rather than enforcing that all access comes from there.
That’s a good point! But isn't the real concern about ensuring access only from within the corporate network? It might not work for your isolation requirements.