Description:

This policy ensures that users' AWS sessions are disconnected after 10 minutes of inactivity. This helps to mitigate the risk of unauthorized access to AWS resources if a user's session is left open.

Rationale:

The longer a user's session is active, the more time an attacker has to gain unauthorized access to their account. By limiting the session idle disconnect timeout to 10 minutes, we can reduce the risk of this happening.

Impact:

If this policy is not followed, users' AWS sessions could be active for longer than 10 minutes. This could increase the risk of unauthorized access to AWS resources.

Default Value:

The default session idle disconnect timeout for AWS users is 20 minutes. This policy will reduce the default session idle disconnect timeout to 10 minutes.

Pre-requisites:

  • Access to the AWS Management Console or the AWS CLI
  • The ability to create and manage IAM policies

Remediation Steps:

  1. Open the AWS Management Console or the AWS CLI.
  2. Go to the IAM console.
  3. Click on Users.
  4. Select the user or role that you want to change the session idle disconnect timeout for.
  5. Click on the Edit button.
  6. In the Session Duration section, set the Session Idle Disconnect Timeout to 10 minutes.
  7. Click on the Save button.

Test Plan:

  1. Log in to the AWS Management Console using the user or role that you changed the session idle disconnect timeout for.
  2. Leave the session open for more than 10 minutes.
  3. Verify that the session is disconnected after 10 minutes.

Implementation Plan:

  1. Follow the remediation steps above to implement the policy.
  2. Test the policy to make sure that it is working as expected.

AWS CLI Process:

To implement the policy using the AWS CLI, you can use the following command:

aws iam update-user --user-name <username> --session-idle-timeout 10

Using AWS GUI:

To implement the policy using the AWS GUI, you can follow these steps:

  1. Go to the AWS Management Console.
  2. Click on the IAM tab.
  3. Click on Users.
  4. Select the user or role that you want to change the session idle disconnect timeout for.
  5. Click on the Edit button.
  6. In the Session Duration section, set the Session Idle Disconnect Timeout to 10 minutes.
  7. Click on the Save button.

Backout Plan:

To revoke the policy, you can use the following command:

aws iam update-user --user-name <username> --session-idle-timeout 20

Note:

  • This policy does not affect the session idle disconnect timeout for AWS services.
  • This policy only applies to IAM users and roles that have the policy attached.
  • If you have any questions about this policy, please contact your AWS administrator.

Reference:

  • AWS Identity and Access Management Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html

Section 2:

  • Tags: security, session, disconnect, timeout, 10 minutes
  • Keywords: session idle disconnect timeout, AWS policy, IAM