Profile Applicability:

  • Level 1

Description:

The session disconnect timeout refers to the period of inactivity after which a user session is automatically disconnected from a service (e.g., AWS, EC2, RDS, or AppStream 2.0). For security purposes, it is recommended to configure the session timeout to 5 minutes or less. This reduces the potential attack window for unauthorized access due to idle sessions.

Setting a session disconnect timeout ensures that sessions that are inactive for a set period are automatically terminated, reducing the risk of compromised sessions being exploited.

This SOP ensures that session disconnect timeout settings are configured to 5 minutes or less for improved security.

Rationale:

  • Security: Automatic session termination after a short period of inactivity helps protect against unauthorized access or session hijacking. If a session is left idle, an attacker could take advantage of the session to access sensitive resources.

  • Compliance: Many regulatory frameworks, such as PCI-DSS, HIPAA, and SOC 2, require session timeouts for applications handling sensitive data.

  • Reduced Risk: Shorter timeouts minimize the risk of leaving sensitive sessions open and accessible to unauthorized parties.

Impact:

Pros:

  • Enhanced Security: Shorter session timeouts limit the potential impact of compromised sessions.

  • Compliance: Meets security best practices and compliance requirements for handling sensitive data.

  • Reduced Attack Surface: Minimizes the risk of unauthorized users accessing sensitive information through abandoned sessions.

Cons:

  • User Inconvenience: Users may experience interruptions if they are inactive for a period and the session disconnects. Frequent disconnections may frustrate users, especially in scenarios where long periods of inactivity are common.

  • Operational Overhead: Configuring and maintaining the session timeout settings might require additional effort, especially when balancing user productivity with security requirements.

Default Value:

The default value for session timeout varies depending on the service. However, most services do not set session timeouts by default, leaving sessions open indefinitely. Configuring a timeout value is necessary to enforce security policies.

Pre-requisite:

  • AWS IAM Permissions:

    • iam:DescribeAccountPasswordPolicy

    • ec2:DescribeInstances

    • appstream:UpdateFleet

    • appstream:DescribeFleet

  • AWS CLI installed and configured.

  • Access to modify session timeout settings in IAM, EC2, RDS, AppStream 2.0, or other AWS services.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon EC2, AppStream 2.0, or the service where the session timeout settings need to be configured.

  3. In the Service Configuration settings, locate Session Timeout or Idle Timeout.

    • If the timeout is set to more than 5 minutes, modify it to 5 minutes or less.

  4. For AppStream 2.0:

    • Navigate to Fleets.

    • Select the fleet you wish to modify.

    • Click Modify and under Idle Timeout, set the value to 5 minutes or less.

  5. Save the changes and verify that the session timeout is now configured for 5 minutes.

Using AWS CLI:

  1. To check the idle timeout configuration for AppStream 2.0, run:

    aws appstream describe-fleets --query 'Fleets[*].{FleetName:Name,IdleTimeout:IdleTimeout}'

  2. Review the output to verify if the IdleTimeout is set to 5 minutes or less.

  3. To modify the idle timeout, run:

    aws appstream update-fleet --name <fleet-name> --idle-timeout 5

  4. Verify the changes by running the describe-fleets command again to ensure the timeout has been updated.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon EC2, AppStream 2.0, or the service you want to configure.

  2. In the Service Dashboard, select Fleets (for AppStream 2.0) or navigate to the appropriate session settings.

  3. Locate the Idle Timeout or Session Timeout setting.

  4. Set the timeout to 5 minutes or less.

  5. Click Update or Save to apply the changes.

Using AWS CLI:

  1. To modify the session timeout, run the following command (for AppStream 2.0 as an example):

    aws appstream update-fleet --name <fleet-name> --idle-timeout 5

  2. Verify the updated settings by running:

    aws appstream describe-fleets --query 'Fleets[*].{FleetName:Name,IdleTimeout:IdleTimeout}'

Backout Plan:

Using AWS Console:

  1. If the session timeout configuration causes issues, sign in to the AWS Management Console.

  2. Navigate to the session timeout settings of the relevant service (e.g., Amazon WorkSpaces).
    Modify the session timeout to a longer period or revert it to the previous setting.
    Save the changes and verify that the session timeout has been updated.

Using AWS CLI:

  1. To revert the session disconnect timeout to a longer duration, use the following command for Amazon WorkSpaces:

    aws workspaces modify-workspace --workspace-id <WORKSPACE_ID> --disconnect-timeout <NEW_TIMEOUT> --region <REGION>

  2. Verify the timeout setting has been reverted:

    aws workspaces describe-workspaces --workspace-id <WORKSPACE_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.