What Is AWS CloudShell? Browser-Based AWS CLI Explained
AWS CloudShell is a browser-based terminal built into the AWS Management Console. It gives you a ready-to-use shell with the AWS CLI already installed and already authenticated as whichever IAM identity you are signed in with. No local install, no credential files, no setup.
The main benefit is speed: you can run AWS commands within seconds of opening the console. The main limitation is that CloudShell is designed for short, interactive tasks. It is not a replacement for a full local terminal when you need persistent tooling, long-running processes, or heavy file operations.
Use CloudShell when you need to check something quickly, run a one-off command, or troubleshoot from inside the console. Use a local CLI installation when you need a customized environment, sustained development sessions, or CI/CD automation.
Simple explanation
Think of CloudShell as a terminal window that lives inside the AWS website. When you open it, AWS spins up a small Linux machine in the background and gives you a command prompt. That machine already has the AWS CLI installed, and it already knows who you are because you are signed in to the console.
You type commands, AWS runs them, and you see the results. When you close the tab or walk away for too long, the machine is recycled. Your home directory files stick around (up to 1 GB per region), but everything else resets.
CloudShell is like a hotel business center computer. You walk in, log in with your existing credentials, and start working. The computer has basic software pre-installed, there is a small locker to keep a few personal files, and you can use it whenever you are a guest. But you would not move your entire home office there. For sustained work you use your own machine at home.
CloudShell is not a replacement for all local CLI work. It is a convenience tool for quick interactions with AWS when you are already in the browser.
Why AWS CloudShell matters
Setting up the AWS CLI locally involves installing the tool, configuring credentials, choosing a default region, and keeping everything updated. That is worth doing for daily development work, but it is overhead when you just need to check something quickly.
CloudShell removes all of that friction. You click an icon in the console, and within a few seconds you have a working terminal. Your identity, permissions, and region are already set. This matters most for:
- Quick admin tasks. Checking running instances, listing S3 buckets, or verifying IAM policies.
- Investigation and troubleshooting. Confirming your identity with
aws sts get-caller-identitywhen something is not working, or checking resource state from a known-good environment. - One-off CLI work. Running a command you do not need to script or repeat.
- Learning. Experimenting with CLI commands without worrying about access key management or local configuration.
Because CloudShell uses temporary session credentials from your console login, you never need to create, store, or rotate access keys for quick CLI tasks. This eliminates an entire category of credential security risk.
How AWS CloudShell works
The workflow is straightforward:
- You sign in to the AWS Management Console with your IAM user, IAM role, or SSO session
- You open CloudShell (from the top navigation bar or the service search)
- AWS creates a temporary compute environment in the region you currently have selected in the console
- The shell session uses your current console credentials. That means the same IAM identity and permissions you already have. CloudShell does not use separate access keys. Instead, it works with temporary session credentials from your console login
- The AWS CLI v2 is pre-installed and pre-configured with your region, so commands like
aws s3 lswork immediately - Your home directory (
/home/cloudshell-user) has up to 1 GB of persistent storage in standard environments, but the rest of the compute environment (installed packages, system-level changes) is ephemeral
Opening CloudShell is like walking into a workshop that already has tools on the wall and your name badge clipped on. You did not bring anything and you did not set anything up. The shop recognizes you because you came through the front door (the console), and whatever projects you are allowed to work on in the building, you are allowed to work on in the shop too.
How to open AWS CloudShell
There are three ways to launch CloudShell:
- Console icon. Click the terminal prompt icon (
>_) in the top navigation bar of the Management Console. This is the fastest method. - Search bar. Type “CloudShell” in the console search bar and select the result.
- Direct navigation. Go to the CloudShell service page from the Services menu.
CloudShell opens in whichever region you have selected in the console. If you need to work in a different region, switch the region selector before opening CloudShell, or pass the —region flag on individual commands:
# Run a command in a different region without switching the console
aws ec2 describe-instances --region us-west-2CloudShell opens in whatever region you had selected in the console. If you are looking at resources and they seem to be missing, check aws configure get region before assuming something is wrong. You might just be looking in the wrong region.
What is included in the CloudShell environment
CloudShell runs Amazon Linux 2023. The environment comes with a useful set of tools pre-installed:
Shells
- Bash (the default shell)
- Z shell (Zsh)
- PowerShell
AWS tooling
- AWS CLI v2, pre-installed and pre-authenticated
- Python 3 and pip for running scripts and installing packages like boto3
- Node.js and npm
Utilities
- git for version control
- jq, a JSON processor useful for parsing AWS CLI output
- curl and wget for HTTP requests
- unzip and tar for archives
- vim and nano for text editing
Verify the environment with a few quick commands:
# Check CLI version and your authenticated identity
aws --version
aws sts get-caller-identity
# Confirm the active region
aws configure get region
# Check Python availability
python3 --versionPersistent storage and session behavior
Understanding what persists and what does not in CloudShell prevents surprises.
What persists (standard environments)
In standard CloudShell environments, your home directory (/home/cloudshell-user) has 1 GB of persistent storage per region. Files you save here survive session restarts. This is a good place for scripts, small config files, and reference data.
What does not persist
The compute environment itself is ephemeral. Packages you install with pip, npm, or yum are lost when the session ends. Shell history outside the home directory, environment variables, and any system-level changes are also reset.
CloudShell storage works like a gym locker. You get a small personal locker (your home directory) that keeps your stuff between visits. But the treadmill settings, the TV channel, and the towels you used all reset for the next person. If you switch to a different gym location (a different region), you have a separate locker there.
If you configure CloudShell to run inside a VPC, the environment does not include persistent home directory storage. Everything is ephemeral, including files in the home directory. Plan accordingly if you use VPC environments regularly.
Storage cleanup and session timeouts
- Inactive sessions. CloudShell disconnects after roughly 20 to 30 minutes of inactivity. You can reconnect, and your home directory files are still there.
- Unused storage deletion. If you do not use CloudShell in a given region for 120 days, AWS automatically deletes the persistent storage for that region.
Save a setup script in your home directory to quickly restore your preferred packages at the start of each session. Since the script itself is in persistent storage, you only write it once.
# Create a setup script in persistent storage
cat > ~/setup.sh << 'EOF'
pip3 install boto3 --quiet
pip3 install awscurl --quiet
echo "Environment ready"
EOF
chmod +x ~/setup.sh
# Run it at the start of each session
~/setup.shWhen to use AWS CloudShell
CloudShell is the right tool when:
- Quick one-off commands. Listing resources, checking configurations, or running a single CLI command you do not need to save.
- Verifying identity and permissions. Running
aws sts get-caller-identityto confirm which account, user, or role you are operating as, especially when debugging access denied errors. - Confirming region and account state. Checking which region you are in and what resources exist before making changes.
- Troubleshooting from the console. When something looks wrong in the console UI and you want to verify it with the CLI.
- Running short scripts. Small Bash or Python scripts that you do not need a full local setup for.
- Learning the CLI. Experimenting with commands without worrying about local credential setup.
When not to use AWS CloudShell
CloudShell is not the right fit for:
- Long-running work. Sessions time out after inactivity, and you cannot keep a process running in the background for hours.
- Heavy local tooling. If your workflow depends on custom editors, language runtimes, Docker, or a specific OS, a local environment is better.
- Large file workflows. The 1 GB storage limit and lack of fast local disk make CloudShell a poor choice for processing large datasets.
- Scheduled automation or CI/CD. CloudShell is interactive and cannot be triggered on a schedule. Use Lambda, CodeBuild, or GitHub Actions instead.
- Private network access (without VPC configuration). Standard CloudShell cannot reach resources in private subnets. You need to configure a VPC environment, which trades away persistent storage.
- Sustained development. For daily coding against AWS, install the CLI locally where you have full control over your environment.
Most AWS users end up using both. CloudShell for quick checks and troubleshooting, a local CLI for real development work. They complement each other rather than compete.
Common use cases
Confirm your identity
When you are troubleshooting permission issues, the first step is confirming who the CLI thinks you are. This is especially useful when you are debugging IAM access denied errors.
aws sts get-caller-identityQuick account audit
Check the state of key resources without leaving the browser:
# List running EC2 instances as a table
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running" \
--query 'Reservations[*].Instances[*].{ID:InstanceId,Type:InstanceType,AZ:Placement.AvailabilityZone}' \
--output table
# List S3 buckets in this account
aws s3 ls
# List IAM roles
aws iam list-roles --query 'Roles[*].RoleName' --output textDownload and inspect a file from S3
Pull a config file or log from S3 to inspect it without downloading to your local machine:
aws s3 cp s3://my-bucket/config.json .
cat config.json | jq .Run a short Python script
Python 3 and boto3 are available, so you can run quick automation scripts directly:
# save as ~/check_buckets.py and run with: python3 ~/check_buckets.py
import boto3
s3 = boto3.client('s3')
response = s3.list_buckets()
for bucket in response['Buckets']:
print(bucket['Name'], '-', bucket['CreationDate'])Test IAM permissions
Quickly verify whether your current identity has a specific permission without leaving the console:
# Try listing secrets to check if you have Secrets Manager read access
aws secretsmanager list-secrets --max-items 1AWS CloudShell vs local AWS CLI
Both give you access to the same AWS CLI commands. The difference is in setup, flexibility, and where they run.
| CloudShell | Local CLI | |
|---|---|---|
| Setup | None. Open and go. | Requires installation and credential configuration |
| Credentials | Automatic from console session (temporary credentials) | Configured via profiles, environment variables, or SSO |
| Persistence | 1 GB home dir per region (standard environments only) | Full local filesystem |
| Custom tooling | Limited. Packages reset each session. | Full control over installed tools, editors, and runtimes |
| Private network access | Requires VPC environment configuration | Works with VPN, Direct Connect, or from within the VPC |
| Automation | Interactive only. No scheduling. | Scriptable and usable in CI/CD pipelines |
| Best for | Quick checks, troubleshooting, learning | Daily development, automation, complex workflows |
AWS CloudShell vs Session Manager
These two tools sound similar but serve different purposes.
- CloudShell is a browser-based terminal for running AWS CLI commands against AWS services. It runs on AWS-managed infrastructure, not on your instances.
- Session Manager gives you shell access into a specific EC2 instance or managed server. It replaces SSH by letting you connect through the console or CLI without opening inbound ports or managing key pairs.
CloudShell is like calling AWS on the phone to ask about your account. Session Manager is like walking into one of your own server rooms. Both involve a terminal, but you are talking to completely different things.
Use CloudShell when you want to run AWS API commands (like listing resources or checking IAM policies). Use Session Manager when you need to log into a specific server to check logs, debug an application, or manage the operating system.
Common beginner mistakes
Assuming CloudShell has separate permissions from the console. CloudShell uses the exact same IAM identity and permissions as your current Management Console session. If you cannot do something in CloudShell, check your IAM policies. The issue is with your identity’s permissions, not with CloudShell itself.
Forgetting which region CloudShell is using. CloudShell opens in whichever region was selected in the console when you launched it. Always confirm with
aws configure get regionbefore running commands, especially if you work across multiple regions.Installing packages and expecting them to persist. The compute environment resets between sessions. Only files in your home directory survive. Save an installation script to
~/setup.shand run it when you start a new session.Storing secrets in the persistent home directory. CloudShell sessions run on shared infrastructure. Do not store long-lived access keys, passwords, or sensitive files in your home directory. Use AWS Secrets Manager or Parameter Store for secrets.
Expecting to reach private VPC resources without configuration. Standard CloudShell runs outside your VPC. Commands targeting resources in private subnets (like an RDS instance with no public endpoint) will fail unless you configure a CloudShell VPC environment.
Key takeaways
- CloudShell is a free, browser-based terminal with the AWS CLI pre-installed and pre-authenticated from your console session
- It opens in the currently selected region using your existing IAM permissions. No separate credentials.
- Standard environments provide 1 GB of persistent home directory storage per region. VPC environments do not.
- The compute environment is ephemeral. Installed packages reset each session.
- Inactive sessions time out after roughly 20 to 30 minutes. Unused regional storage is deleted after 120 days.
- Best for quick tasks, troubleshooting, and learning. Use a local CLI for sustained development and automation.
- CloudShell is for AWS API commands. Session Manager is for shell access into specific EC2 instances.
Frequently asked questions
What is AWS CloudShell in simple terms?
AWS CloudShell is a free terminal that runs inside your browser. It comes with the AWS CLI already installed and already signed in using whatever AWS account and region you are currently using in the Management Console. You do not need to install software or set up credentials to start running commands.
Is AWS CloudShell free?
Yes. There is no charge for CloudShell itself. You only pay for the AWS resources you create or modify through the commands you run. CloudShell also provides 1 GB of persistent storage per region at no extra cost in standard environments.
Does CloudShell use my current AWS permissions?
Yes. CloudShell inherits the exact IAM identity and permissions from your active Management Console session. If your IAM user or role can list S3 buckets in the console, it can do the same in CloudShell. CloudShell does not grant any additional permissions beyond what you already have.
Do files persist between CloudShell sessions?
In standard CloudShell environments, files stored in your home directory (/home/cloudshell-user) persist across sessions. You get 1 GB of persistent storage per region. However, installed packages and anything outside the home directory are ephemeral and reset when the session ends. VPC environments do not have persistent storage at all. AWS also deletes unused regional storage after 120 days of inactivity.
Can CloudShell access private VPC resources?
Not by default. Standard CloudShell runs on AWS-managed infrastructure outside your VPC. To reach resources in private subnets, such as an RDS instance without a public endpoint, you need to configure a CloudShell VPC environment that connects to your VPC. Note that VPC environments do not include persistent home directory storage.