Description:

This policy ensures that users' AWS sessions are disconnected after 5 minutes of inactivity. This helps to mitigate the risk of unauthorized access to AWS resources if a user's session is left open.

Rationale:

The longer a user's session is active, the more time an attacker has to gain unauthorized access to their account. By limiting the session disconnect timeout to 5 minutes, we can reduce the risk of this happening.

Impact:

If this policy is not followed, users' AWS sessions could be active for longer than 5 minutes. This could increase the risk of unauthorized access to AWS resources.

Default Value:

The default session disconnect timeout for AWS users is 20 minutes. This policy will reduce the default session disconnect timeout to 5 minutes.

Pre-requisites:

  • Access to the AWS Management Console or the AWS CLI
  • The ability to create and manage IAM policies

Remediation Steps:

  1. Open the AWS Management Console or the AWS CLI.
  2. Go to the IAM console.
  3. Click on Users.
  4. Select the user or role that you want to change the session disconnect timeout for.
  5. Click on the Edit button.
  6. In the Session Duration section, set the Session Disconnect Timeout to 5 minutes.
  7. Click on the Save button.

Test Plan:

  1. Log in to the AWS Management Console using the user or role that you changed the session disconnect timeout for.
  2. Leave the session open for more than 5 minutes.
  3. Verify that the session is disconnected after 5 minutes.

Implementation Plan:

  1. Follow the remediation steps above to implement the policy.
  2. Test the policy to make sure that it is working as expected.

AWS CLI Process:

To implement the policy using the AWS CLI, you can use the following command:

aws iam update-user --user-name <username> --session-timeout 5

Using AWS GUI:

To implement the policy using the AWS GUI, you can follow these steps:

  1. Go to the AWS Management Console.
  2. Click on the IAM tab.
  3. Click on Users.
  4. Select the user or role that you want to change the session disconnect timeout for.
  5. Click on the Edit button.
  6. In the Session Duration section, set the Session Disconnect Timeout to 5 minutes.
  7. Click on the Save button.

Backout Plan:

To revoke the policy, you can use the following command:

aws iam update-user --user-name <username> --session-timeout 20

Note:

  • This policy does not affect the session disconnect timeout for AWS services.
  • This policy only applies to IAM users and roles that have the policy attached.
  • If you have any questions about this policy, please contact your AWS administrator.

Reference:

  • AWS Identity and Access Management Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html

Section 2:

  • Tags: security, session, disconnect, timeout, 5 minutes
  • Keywords: session disconnect timeout, AWS policy, IAM