AWS amazonq high security documentation change
Summary
Added documentation section detailing login/logout procedures, session duration (1 hour), token refresh requirements, and security recommendations for session management in the Web Experience. Includes warnings about session persistence risks and logout behavior differences between IDC and IDP integrations.
Security assessment
Directly addresses security concerns by explaining session expiration mechanics, emphasizing the need to log out properly to prevent unauthorized access, and warning about cookie restoration bypassing logout. Mentions concrete security risks like session token validity and persistence.
Diff
diff --git a/amazonq/latest/qbusiness-ug/using-web-experience.md index 39b369e0d..af5fdf2bc 100644 --- a/amazonq/latest/qbusiness-ug/using-web-experience.md +++ b/amazonq/latest/qbusiness-ug/using-web-experience.md @@ -5 +5 @@ -Example promptsEngage with contextual responsesAnalysis and reasoningPerform actions using pluginsReview source citationsUpload files and chatCopy responsesProvide feedbackConversation managementResponse sources +Example promptsEngage with contextual responsesAnalysis and reasoningPerform actions using pluginsReview source citationsUpload files and chatCopy responsesProvide feedbackConversation managementResponse sourcesLogin, Logout and session duration for Web Experience @@ -42,0 +43,2 @@ The Amazon Q Business web experience provides you with the following capabilitie + * Login, Logout and session duration for Web Experience + @@ -144,0 +147,36 @@ For more information, see [Using global controls in Amazon Q Business](https://d +## Login, Logout and session duration for Web Experience + +Users log in through their identity provider, which integrates with the Amazon Q Business Web App. After authentication, a session token is generated and the user is automatically logged into the Web App through single sign-on. Amazon Q Business Web App sessions expire one hour after login. To maintain continuous access, users must refresh their session token before expiration, not after, by refreshing the page. + +For security, users should log out of both the Web App and their identity provider when finished. Leaving a session active allows anyone using the same computer within the hour to bypass login due to the still-valid session token. + +**IDC (Identity Center) Applications** + +When a user logs out: + + * Browser cookies are deleted + + * The session is revoked through IDC + + * The user is redirected to the login page + + + + +**IDP (Identity Provider) Applications** + +When a user logs out: + + * Browser cookies are deleted + + * The user is redirected to the login page + + + + +JWTs (JSON Web Tokens) are used for authentication and authorization and expire after an hour. + +###### Note + +If the webpage’s cookies are restored after logout, then the IDP session cookie information may still validate the web app, preventing a successful logout. +