Define custom session duration and end active sessions in IAM Identity Center

Managing access to accounts and applications requires a balance between maintaining simple, convenient access and managing the risks associated with active user sessions. Depending on your organization's needs, you may feel the need to make it easy for end users to log in and operate long enough to get their work done without the disruption of having to re-authenticate. You may also consider shortening sessions to meet compliance or security requirements. At the same time, you may want to terminate active sessions that your users do not need, such as sessions for former employees, sessions from which the user has not logged out on a second device, or sessions with suspicious activity detected.

This article demonstrates how to use the new features in IAM Identity Center. First, it guides you through configuring session duration for IAM Identity Center users. Then, it demonstrates how to identify existing active sessions and terminate them.

What is the IAM Identity Center?

IAM Identity Center helps you securely create or merge employee identities and centrally manage their access to AWS accounts and applications. IAM Identity Center is the recommended method for employee identities to access AWS resources. In IAM Identity Center, you can integrate with a third-party identity provider (IdP), such as Okta Universal Directory, Microsoft Azure Active Directory, or Microsoft Active Directory Domain Services, as an identity source, or you can create users directly in IAM Identity Center. The free service builds on AWS Identity and Access Management (IAM) capabilities.

IAM Identity Center logins and sessions

You can use IAM Identity Center to access applications and accounts and obtain credentials for the AWS Management Console, AWS Command Line Interface (AWS CLI) and AWS SDK sessions. When you log in to the IAM Identity Center via the browser or AWS CLI, an AWS access portal session is created. When you connect to the console, the IAM Identity Center uses the session duration setting in the permission set to control the session duration.

Note that the access portal session duration for IAM Identity Center is different from the session duration of the IAM permission set, which determines how long a user can access their account through the IAM Identity Center console.

Before the release of the new session management feature, the session duration for the AWS access portal was 8 hours. Now, you can configure the session duration for an AWS access portal in the IAM Identity Center to be 15 minutes to 7 days. The access portal session duration determines how long a user can access the portal, applications, and accounts and run CLI commands without re-authentication. Suppose you have an external identity provider connected to the IAM Identity Center. In that case, the access portal session duration will be shorter than the session duration set by the identity provider or the duration defined in the IAM Identity Center. Users can access accounts and applications until the access portal session expires and re-authentication is initiated.

When users access accounts or applications through the IAM Identity Center, an additional separate session related to the AWS access portal session is created. AWS CLI uses AWS access portal sessions to access roles. The duration of the console session is defined as part of the permission set the user has accessed. Once started, it continues until the duration expires or the user terminates the session. Application sessions supporting the IAM Identity Centre re-verify the AWS access portal session every 60 minutes. These sessions continue until the AWS access portal session expires, another application-specific condition, or the user terminates the session themselves.

To summarise:

• When users log into the IAM Identity Centre, they can access their assigned roles and applications for a set period, after which they must go through the authentication process again.
• If a user gains access to an assigned permission set, he or she has access to the corresponding role for the time specified in the permission set (or by the user terminating the session).
• AWS CLI uses the AWS Access Portal session to access roles. The AWS CLI refreshes the IAM permission set in the background. The CLI task will continue to run until the access portal session expires.
• Users accessing an application running the IAM Identity Center can retain access to it for up to one hour after the access portal session expires.

Note: IAM Identity Center does not support session management features for Active Directory identity sources.

For more session management features, see Authentication sessions in the documentation.

Configuring session duration

This section explains how to configure the session duration for the AWS access portal in IAM Identity Center. You can select a duration of 15 minutes to 7 days.

Session duration is a global setting in the IAM Identity Center. Once the session duration is set, its maximum duration applies to IAM Identity Center users.

To configure the session duration through the AWS access portal:

1. Open the IAM Identity Center console.
2. In the left navigation pane, select Settings.
3. On the Settings page, select the Authentication tab.
4. In the Authentication area next to Session Settings, select Configure.
5. In the Configure Session Settings area, select the maximum session duration from the list of predefined session durations in the drop-down menu. To set a custom session duration, select Custom duration, enter the session length in minutes and then select Save.

Congratulations! You have just modified the session duration for your users. The new duration will take effect the next time each user logs in.

Find and end AWS access portal sessions

With the new version, you can find active portal sessions for IAM Identity Center users and end these sessions if necessary. This can be useful in the following situations:

• A user no longer works in your organization or has been removed from projects that gave them access to applications or permission sets they should no longer use.
• If the device is lost or stolen, the user can contact you to terminate the session. This reduces the risk of someone accessing the device and taking advantage of an open session.

In such cases, you can find the user's active sessions in the AWS access portal, select the session you are interested in, and terminate it. Depending on the situation, you can also deactivate user logins from the system before canceling a user session. You can deactivate user logins in the IAM Identity Center console or a third-party identity provider (IdP).

If you first deactivate the user login in the IdP and then the user logs in to the IAM Identity Center, the deactivation will take effect in the IAM Identity Center without a synchronization delay. However, if you first deactivate the user in the IAM Identity Center, the identity provider can reactivate the user. By deactivating the user's login in your identity provider first, you can prevent the user from logging in again when you cancel their session. This action is recommended if the user has left the organization and should no longer have access or if you suspect necessary user credentials have been stolen and want to block access until their passwords are reset.

Terminating an access portal session does not affect an active permission set session that starts from the access portal. The IAM role session accepted from the access portal will last as long as the time specified in the permission set. In the case of an AWS CLI session, it can take up to an hour for the CLI interface to be terminated after the access portal session.

Tip: if possible, activate multi-factor authentication (MFA). The MFA service offers an additional layer of protection to help prevent unauthorized access to systems or data.

To manage active access portal sessions in the AWS Access Portal:

1. Open the IAM Identity Center console.
2. In the left navigation pane, select Users.
3. On the Users page, select the user name whose sessions you want to manage. This will take you to the user information page.
4. On the Users page, select the Active Sessions tab. The number in brackets next to Active Sessions indicates the number of currently active sessions for that user.

Select the sessions you wish to delete and then select Delete Session. A dialog box appears, confirming that the active sessions for this user have been deleted.

Review the information in the dialog and select Delete Session if you wish to continue.

Conclusions

With this text, you have learned how the IAM Identity Center manages sessions, how to modify session duration for the AWS access portal, and how to view, search, and terminate active access portal sessions. The developers also shared some tips on how to think about the suitable session duration for your use case and the associated steps to take when terminating sessions for users who should not have permission to log back in after the session has ended.

With the new feature, you have more control over managing user sessions. You can use the console to set configurable session lengths based on your organization's security requirements and desired end-user experience. You can also interrupt sessions, allowing you to manage sessions that are no longer needed or potentially suspicious.

To find out more, see: Manage IAM Identity Center integrated application sessions.