Profile Applicability:

  • Level 1

Description:

In AWS Identity and Access Management (IAM), session duration defines the maximum amount of time a user session is active when using temporary security credentials. This can be specified for IAM users or roles. By default, the maximum session duration is 12 hours, but for security reasons, it is recommended to reduce this to a maximum of 10 hours.

Limiting the maximum session duration helps minimize the impact of potential security incidents, such as compromised credentials, by reducing the time period during which a session remains active.

This SOP ensures that IAM user session durations do not exceed 10 hours, enforcing better security practices for user access.

Rationale:

  • Security: Reducing the session duration limits the window of time during which a compromised session can be used, thus reducing the potential impact of unauthorized access.

  • Compliance: Many security frameworks, including SOC 2, PCI-DSS, and HIPAA, recommend limiting session durations as a best practice for controlling access.

  • Risk Reduction: Shorter sessions help mitigate the risks associated with long-lived sessions, such as accidental or unauthorized use of credentials.

Impact:

Pros:

  • Reduced Risk of Long-Lived Sessions: Reducing the session duration helps mitigate the risk of session hijacking or unauthorized access if credentials are compromised.

  • Improved Security Posture: Helps align with security best practices by enforcing short-lived sessions and limiting exposure.

  • Compliance: Meets industry standards and regulatory requirements for session management.

Cons:

  • Inconvenience for Users: Reducing the session duration may lead to more frequent logins or re-authentication requests, potentially impacting user productivity.

  • Session Interruptions: Users may experience interruptions if their sessions time out and require them to re-authenticate or re-initiate their session.

Default Value:

By default, IAM session durations are set to 12 hours for most roles and IAM users. This must be manually configured to 10 hours or less.

Pre-requisite:

  • AWS IAM Permissions:

    • iam:UpdateAssumeRolePolicy

    • iam:GetRole

    • iam:UpdateRole

  • AWS CLI installed and configured.

  • Access to modify IAM role session duration for the account.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM under Security, Identity, & Compliance.

  3. In the IAM Dashboard, go to Roles.

  4. Select the role to check for session duration.

  5. In the Role details, check the Maximum session duration field.

    • If the session duration is greater than 10 hours, it needs to be adjusted.

  6. To modify the session duration, click Edit in the Trust Relationship section.

  7. Set the Maximum session duration to 10 hours or less and save the changes.

Using AWS CLI:

  1. To check the current session duration for a role, run:

    aws iam get-role --role-name <role-name> --query 'Role.MaxSessionDuration'

  2. If the session duration is greater than 10 hours, modify it with:

    aws iam update-role --role-name <role-name> --max-session-duration 36000

  3. Verify the changes by running the get-role command again to ensure the session duration is set to 10 hours.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to IAM.

  2. In the IAM Dashboard, go to Roles and select the role whose session duration you want to modify.

  3. Under the Role details, click Edit in the Trust Relationships section.

  4. In the Session Duration field, change the value to 10 hours (or less).

  5. Click Update Role to save the changes.

Using AWS CLI:

  1. To modify the session duration for an IAM role, run:

    aws iam update-role --role-name <role-name> --max-session-duration 36000

  2. Verify that the session duration has been updated:

    aws iam get-role --role-name <role-name> --query 'Role.MaxSessionDuration'

Backout Plan:

Using AWS Console:

  1. If the session duration setting causes issues, sign in to the AWS Management Console.

  2. Navigate to IAM, select the role or user, and go to Role Settings.

  3. Increase the maximum session duration or revert to the previous settings.

  4. Save the changes and ensure the session duration is adjusted.

Using AWS CLI:

  1. To revert the maximum session duration back to a longer duration, run:

    aws iam update-role --role-name <ROLE_NAME> --max-session-duration <NEW_DURATION>

  2. Verify that the session duration has been adjusted:

    aws iam get-role --role-name <ROLE_NAME> --query "Role.MaxSessionDuration".

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.