AWS singlesignon medium security documentation change
Summary
Updated session termination timelines and clarified behavior when users are disabled/deleted or sessions are revoked. Added distinction between admin actions and user sign-outs. Reduced maximum application session termination time from 2 hours to 30 minutes (with 1 hour edge case).
Security assessment
The changes explicitly document improved access revocation timelines (immediate prevention of new sessions, 30-minute application termination) which directly impacts security posture by reducing potential exposure windows after user disablement. The clarification about session revocation forcing re-authentication strengthens security documentation.
Diff
diff --git a/singlesignon/latest/userguide/authconcept.md b/singlesignon/latest/userguide/authconcept.md index c7c8da6fb..0035ecab3 100644 --- a//singlesignon/latest/userguide/authconcept.md +++ b//singlesignon/latest/userguide/authconcept.md @@ -13 +13 @@ A user signs in to the AWS access portal using their user name. When they do, IA -There are two types of authentication sessions maintained by IAM Identity Center: one to represent the users’ sign in to IAM Identity Center, and another to represent the users’ access to AWS managed applications, such as Amazon SageMaker AI Studio or Amazon Managed Grafana. Each time a user signs in to IAM Identity Center, a sign in session is created for the duration configured in IAM Identity Center, which can be up to 90 days. For more information, see [Configure the session duration of the AWS access portal and IAM Identity Center integrated applications](./configure-user-session.html). Each time the user accesses an application, the IAM Identity Center sign in session is used to obtain an IAM Identity Center application session for that application. IAM Identity Center application sessions have a refreshable 1-hour lifetime – that is, IAM Identity Center application sessions are automatically refreshed every hour as long as the IAM Identity Center sign in session from which they were obtained is still valid. If the user signs out using the AWS access portal, the user's sign in session ends. The next time application refreshes its session, the application session will end. +There are two types of authentication sessions maintained by IAM Identity Center: one to represent the users’ sign in to IAM Identity Center, and another to represent the users’ access to AWS managed applications, such as Amazon SageMaker AI Studio or Amazon Managed Grafana. Each time a user signs in to IAM Identity Center, a sign in session is created for the duration configured in IAM Identity Center, which can be up to 90 days. For more information, see [Configure the session duration of the AWS access portal and IAM Identity Center integrated applications](./configure-user-session.html). Each time the user accesses an application, the IAM Identity Center sign in session is used to create an IAM Identity Center application session for that application. IAM Identity Center application sessions have a refreshable 1-hour lifetime – that is, IAM Identity Center application sessions are automatically refreshed every hour as long as the IAM Identity Center sign in session from which they were obtained is still valid. If the user signs out using the AWS access portal, the user's sign in session ends. The next time application refreshes its session, the application session will end. @@ -15 +15 @@ There are two types of authentication sessions maintained by IAM Identity Center -When the user uses IAM Identity Center to access the AWS Management Console or CLI, the IAM Identity Center sign in session is used to obtain an IAM session, as specified in the corresponding IAM Identity Center permission set (more specifically, IAM Identity Center assumes an IAM role, which IAM Identity Center manages, in the target account). IAM sessions persist for the time specified for the permission set, unconditionally. +When the user uses IAM Identity Center to access the AWS Management Console or AWS CLI, the IAM Identity Center sign in session is used to obtain an IAM session, as specified in the corresponding IAM Identity Center permission set (more specifically, IAM Identity Center assumes an IAM role, which IAM Identity Center manages, in the target account). IAM sessions persist for the time specified for the permission set, unconditionally. @@ -21 +21 @@ IAM Identity Center does not support SAML Single Logout initiated by an identity -When you disable or delete a user in IAM Identity Center, that user will immediately be prevented from signing in to create new IAM Identity Center sign in sessions. IAM Identity Center sign in sessions are cached for one hour, which means that when you disable or delete a user while they have an active IAM Identity Center sign in session, their existing IAM Identity Center sign in session will continue for up to an hour, depending on when the sign in session was last refreshed. During this time, the user can initiate new IAM Identity Center application and IAM role sessions. +When you disable or delete a user in IAM Identity Center, that user will immediately be prevented from signing in to create new IAM Identity Center sign in sessions. When you revoke a user sign-in session, the user must sign-in again. @@ -23 +23 @@ When you disable or delete a user in IAM Identity Center, that user will immedia -After the IAM Identity Center sign in session expires, the user can no longer initiate new IAM Identity Center application or IAM role sessions. However, IAM Identity Center application sessions can also be cached for up to an hour, such that the user might retain access to an application for up to an hour after the IAM Identity Center sign in session has expired. Any existing IAM role sessions will continue based on the duration configured in the IAM Identity Center permission set (admin-configurable, up to 12 hours). +When an IAM Identity Center administrator deletes or disables a user, the user will immediately lose access to the AWS access portal. Existing application sessions will lose access within 30 minutes following deletion or being disabled. In some cases, it can take up to 1 hour for existing applications to lose access. @@ -25 +25 @@ After the IAM Identity Center sign in session expires, the user can no longer in -The table below summarizes these behaviors: +Any existing IAM role sessions will continue based on the duration configured in the IAM Identity Center permission set which can be configured up to 12 hours. This behavior also applies when a user session is revoked or the user signs out. @@ -27,6 +27,10 @@ The table below summarizes these behaviors: -User experience / system behavior | Time after user is disabled / deleted ----|--- -User can no longer sign in to IAM Identity Center; user cannot obtain a new IAM Identity Center sign in session | None (effective immediately) -User can no longer start new application or IAM role sessions via IAM Identity Center | Up to 1 hour -User can no longer access any applications (all application sessions are terminated) | Up to 2 hours (up to 1 hour for IAM Identity Center sign in session expiration, plus up to 1 hour for IAM Identity Center application session expiration) -User can no longer access any AWS accounts through IAM Identity Center | Up to 13 hours (up to 1 hour for IAM Identity Center sign in session expiry, plus up to 12 hours for administrator-configured IAM role session expiry per the IAM Identity Center session duration settings for the permission set) +The following table summarizes IAM Identity Center behaviors: + +User experience / system behavior | Time after user disabled / deleted | Time after user session revoked / signs out +---|---|--- +User can no longer sign in IAM Identity Center | Effective immediately | _Not applicable_ +User can no longer start new application or IAM role sessions via IAM Identity Center | Effective immediately | Effective immediately +User can no longer access any applications (all application sessions are terminated by the administrator or the user signs out) | Up to 30 minutes * | Up to 30 minutes * +User can no longer access any AWS accounts through IAM Identity Center | Up to 12 hours (up to 1 hour for IAM Identity Center sign in session expiry, plus up to 12 hours for administrator-configured IAM role session expiry per the IAM Identity Center session duration settings for the permission set) | Up to 12 hours (up to 1 hour for IAM Identity Center sign in session expiry, plus up to 12 hours for administrator-configured IAM role session expiry per the IAM Identity Center session duration settings for the permission set) + +* In some cases, for example service disruption, it can take up to an hour to lose application access.