Profile Applicability:

  • Level 1

Description:

In AWS environments, session idle disconnect timeout is the period of inactivity after which a user session will be automatically disconnected. For security reasons, it is recommended to configure the session idle timeout to 10 minutes or less. This helps mitigate the risks associated with unattended sessions and ensures that sessions that remain idle for too long are automatically terminated.

This SOP ensures that AWS services (such as AppStream 2.0, EC2, RDS, and other services) enforce an idle session timeout of 10 minutes or less to reduce the exposure to idle session hijacking or unauthorized access.

Rationale:

  • Security: Limiting session idle time reduces the risk of unauthorized access from unattended sessions. It ensures that any session that remains inactive for a period is safely disconnected, preventing potential exploitation.

  • Compliance: Regulatory frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require timeouts for idle sessions to secure access to sensitive data and systems.

  • Operational Control: This setting helps prevent long-lived sessions, thereby providing better control over system access and reducing the attack surface for unauthorized users.

Impact:

Pros:

  • Enhanced Security: Idle session timeout ensures that inactive sessions do not remain open, reducing the risk of unauthorized access.

  • Compliance: Helps meet compliance requirements for session management.

  • Improved Control: Limits the time for which user credentials are active, reducing the chances of misuse or exploitation.

Cons:

  • User Inconvenience: Short session idle time may lead to more frequent logins, which could disrupt user productivity, especially in long-running tasks.

  • Operational Complexity: Managing and monitoring idle timeout configurations can be an additional task for administrators, especially in environments with many users or services.

Default Value:

By default, session idle timeout may vary based on the service, but often it is not configured for automatic disconnection. The typical default is set to never disconnect, and manual configuration is required to set an appropriate session idle timeout.

Pre-requisite:

  • AWS IAM Permissions:

    • iam:DescribeAccountPasswordPolicy

    • ec2:DescribeInstances

    • appstream:UpdateFleet

    • appstream:DescribeFleet

  • AWS CLI installed and configured.

  • An AWS service (e.g., AppStream 2.0, EC2, RDS) already in place and configured.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EC2, AppStream 2.0, or the service for which you want to verify the session idle timeout.

  3. In the Service Dashboard, look for session timeout or idle timeout settings. Typically, these settings are available under Fleet settings for AppStream 2.0 or Security settings for EC2.

    • If the idle timeout is greater than 10 minutes, it needs to be modified.

  4. For AppStream 2.0:

    • Go to Fleets.

    • Select the fleet, and click Modify.

    • Under Idle Timeout, set the value to 10 minutes or less.

  5. Save the changes and verify that the session idle disconnect timeout is now configured to 10 minutes or less.

Using AWS CLI:

  1. To check the idle timeout for AppStream 2.0, run:

    aws appstream describe-fleets --query 'Fleets[*].{FleetName:Name,IdleTimeout:IdleTimeout}'

  2. Review the output to ensure that the IdleTimeout is 10 minutes or less.

  3. To modify the idle timeout, run:

    aws appstream update-fleet --name <fleet-name> --idle-timeout 10

  4. Verify the changes by running the describe-fleets command again.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon EC2, AppStream 2.0, or the relevant service.

  2. In the Service Dashboard, select Fleets (for AppStream 2.0) or go to the Security settings for EC2 or RDS.

  3. Find the Idle Timeout or Session Timeout configuration.

  4. Set the timeout to 10 minutes or less.

  5. Save the changes and confirm the configuration.

Using AWS CLI:

  1. To update the session timeout, run the following CLI command for AppStream 2.0:
     aws appstream update-fleet --name <fleet-name> --idle-timeout 10

  2. Verify that the timeout is set correctly by running:
     aws appstream describe-fleets --query 'Fleets[*].{FleetName:Name,IdleTimeout:IdleTimeout}'

Backout Plan:

Using AWS Console:

  1. If setting the session timeout to 10 minutes causes issues, sign in to the AWS Management Console.

  2. Navigate to the Session Management settings for the respective service.

  3. Revert the timeout setting to the previous value or a longer duration as required.

  4. Save the changes and ensure that the timeout is reset to the appropriate setting.

Using AWS CLI:

  1. To revert the timeout setting, use the following command to modify the session idle timeout to a longer duration:

    aws workspaces modify-workspace --workspace-id <WORKSPACE_ID> --idle-timeout <NEW_TIMEOUT>

  2. Verify that the change has been applied:

    aws workspaces describe-workspaces --workspace-id <WORKSPACE_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.