legitimate use of cloudshell by administrators for routine aws management tasks. verify whether the user has a legitimate need for cloudshell access and correlate with recent console login activity. environment creation also occurs when users access cloudshell in a new aws region.

t1059
aws
elastic

Techniques

T1059

Sample rules

AWS CloudShell Environment Created

source: elastic
technicques:
- T1059

Description

Identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. Monitoring environment creation helps detect unauthorized CloudShell usage from compromised console sessions.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "cloudshell.amazonaws.com"
    and event.action: "CreateEnvironment"
    and event.outcome: "success"