Description:

This policy ensures that users' AWS sessions are terminated after 10 hours. This helps to mitigate the risk of unauthorized access to AWS resources if a user's account is compromised.

Rationale:

The longer a user's session is active, the more time an attacker has to gain unauthorized access to their account. By limiting the maximum session duration to 10 hours, we can reduce the risk of this happening.

Impact:

If this policy is not followed, users' AWS sessions could be active for longer than 10 hours. This could increase the risk of unauthorized access to AWS resources.

Default Value:

The default maximum session duration for AWS users is 12 hours. This policy will reduce the default maximum session duration to 10 hours.

Pre-requisites:

  • Access to the AWS Management Console or the AWS CLI
  • The ability to create and manage IAM policies

Remediation Steps:

  1. Open the AWS Management Console or the AWS CLI.
  2. Go to the IAM console.
  3. Click on Policies.
  4. Click on Create Policy.
  5. In the Policy Name field, enter "Maximum Session Duration."
  6. In the Policy Document field, paste the following policy:
{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Deny",      "Action": "sts:AssumeRole",      "Resource": "*",      "Condition": {        "MaxSessionDuration": {          "Hours": 10        }      }    }  ] }
  1. Click on Create Policy.
  2. Attach the policy to the IAM users or roles that you want to limit the maximum session duration for.

Test Plan:

  1. Log in to the AWS Management Console using an IAM user or role that has the policy attached.
  2. Leave the session open for more than 10 hours.
  3. Verify that the session is terminated after 10 hours.

Implementation Plan:

  1. Follow the remediation steps above to implement the policy.
  2. Test the policy to make sure that it is working as expected.

AWS CLI Process:

To implement the policy using the AWS CLI, you can use the following command:

aws iam create-policy --policy-name MaximumSessionDuration --policy-document file://maximum_session_duration.json

Replace maximum_session_duration.json with the path to the file that contains the policy document.

Using AWS GUI:

To implement the policy using the AWS GUI, you can follow these steps:

  1. Go to the AWS Management Console.
  2. Click on the IAM tab.
  3. Click on Policies.
  4. Click on Create Policy.
  5. In the Policy Name field, enter "Maximum Session Duration."
  6. In the Policy Document field, paste the policy document.
  7. Click on Create Policy.
  8. Attach the policy to the IAM users or roles that you want to limit the maximum session duration for.

Backout Plan:

To revoke the policy, you can use the following command:

aws iam delete-policy --policy-name MaximumSessionDuration

Note:

  • This policy does not affect the maximum session duration for AWS services.
  • This policy only applies to IAM users and roles that have the policy attached.
  • If you have any questions about this policy, please contact your AWS administrator.

Reference:

  • AWS Identity and Access Management Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html

Section 2:

  • Tags: security, session, duration, 10 hours
  • Keywords: maximum session duration, AWS policy, IAM