Description:
This policy ensures that users' AWS sessions are disconnected after 5 minutes of inactivity. This helps to mitigate the risk of unauthorized access to AWS resources if a user's session is left open.
Rationale:
The longer a user's session is active, the more time an attacker has to gain unauthorized access to their account. By limiting the session disconnect timeout to 5 minutes, we can reduce the risk of this happening.
Impact:
If this policy is not followed, users' AWS sessions could be active for longer than 5 minutes. This could increase the risk of unauthorized access to AWS resources.
Default Value:
The default session disconnect timeout for AWS users is 20 minutes. This policy will reduce the default session disconnect timeout to 5 minutes.
Pre-requisites:
- Access to the AWS Management Console or the AWS CLI
- The ability to create and manage IAM policies
Remediation Steps:
- Open the AWS Management Console or the AWS CLI.
- Go to the IAM console.
- Click on Users.
- Select the user or role that you want to change the session disconnect timeout for.
- Click on the Edit button.
- In the Session Duration section, set the Session Disconnect Timeout to 5 minutes.
- Click on the Save button.
Test Plan:
- Log in to the AWS Management Console using the user or role that you changed the session disconnect timeout for.
- Leave the session open for more than 5 minutes.
- Verify that the session is disconnected after 5 minutes.
Implementation Plan:
- Follow the remediation steps above to implement the policy.
- Test the policy to make sure that it is working as expected.
AWS CLI Process:
To implement the policy using the AWS CLI, you can use the following command:
aws iam update-user --user-name <username> --session-timeout 5
Using AWS GUI:
To implement the policy using the AWS GUI, you can follow these steps:
- Go to the AWS Management Console.
- Click on the IAM tab.
- Click on Users.
- Select the user or role that you want to change the session disconnect timeout for.
- Click on the Edit button.
- In the Session Duration section, set the Session Disconnect Timeout to 5 minutes.
- Click on the Save button.
Backout Plan:
To revoke the policy, you can use the following command:
aws iam update-user --user-name <username> --session-timeout 20
Note:
- This policy does not affect the session disconnect timeout for AWS services.
- This policy only applies to IAM users and roles that have the policy attached.
- If you have any questions about this policy, please contact your AWS administrator.
Reference:
- AWS Identity and Access Management Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
Section 2:
- Tags: security, session, disconnect, timeout, 5 minutes
- Keywords: session disconnect timeout, AWS policy, IAM