AWS connect medium security documentation change
Summary
Updated authentication profile documentation to add session inactivity timeout configuration, clarify default behavior, and provide implementation details for automatic logout on user inactivity
Security assessment
The changes introduce a new security feature (automatic session termination on inactivity) that directly impacts access control. The added 'SessionInactivityDuration' and 'SessionInactivityHandlingEnabled' parameters help enforce stricter session management policies. This addresses session persistence risks by automatically logging out inactive users, reducing the attack surface from unattended sessions.
Diff
diff --git a/connect/latest/adminguide/authentication-profiles.md b/connect/latest/adminguide/authentication-profiles.md index 8f9816fbc..b3b4a3565 100644 --- a//connect/latest/adminguide/authentication-profiles.md +++ b//connect/latest/adminguide/authentication-profiles.md @@ -5 +5 @@ -Configure IP address ranges and session durationConfigure IP-based access controlExample IP address configurationsConfigure the session duration +Configure IP address ranges and session durationConfigure IP-based access controlExample IP address configurationsConfigure user session timeouts @@ -26 +26 @@ In Amazon Connect you configure an _authentication profile_ to set IP address re -Your Amazon Connect instance includes a default authentication profile. This authentication profile automatically applies to **all users** in your contact center. You do not need to assign the authentication profile to the users for it to apply. +Your Amazon Connect instance includes a default authentication profile. This authentication profile applies to **all existing and new users** in your contact center by default and does not need to be assigned. @@ -28 +28 @@ Your Amazon Connect instance includes a default authentication profile. This aut -To configure your default authentication profile, use the following AWS SDK commands. +Authentication profiles are currently only configurable with the AWS SDK. To configure your default authentication profile, use the following commands. @@ -77 +77,3 @@ Following is an example of the information returned by the `describe-authenticat - "PeriodicSessionDuration": 60 + "PeriodicSessionDuration": 60, + "SessionInactivityDuration": 60, + "SessionInactivityHandlingEnabled": false @@ -94 +96,2 @@ Following is an example `update-authentication-profile` command. It configures t - --periodic-session-duration 60 + --no-session-inactivity-handling-enabled + --session-inactivity-duration 60 @@ -222 +225 @@ The `allowedIps` list defines the range of possible IPs allowed in your contact -## Configure the session duration +## Configure user session timeouts @@ -224 +227 @@ The `allowedIps` list defines the range of possible IPs allowed in your contact -You can fine-tune the **periodic session duration** according to your organization's preference and security requirements. For example, you can set the periodic session duration to 20 minutes so your agent's IP address and session duration are checked within a 20 minute time period in the CCP. +An Amazon Connect session is defined as a continuous period of authenticated access to your contact center’s website. There are two session timeouts that apply to user sessions in your contact center: @@ -226 +229 @@ You can fine-tune the **periodic session duration** according to your organizati -Amazon Connect uses a token-based authentication model. There are two session timeouts that apply to user sessions in your contact center: + * **Maximum session duration** : This value represents the maximum time period a contact center user can be logged in before being forced to sign-in again. This value defaults to 12 hours and isn't configurable. @@ -228 +231,12 @@ Amazon Connect uses a token-based authentication model. There are two session ti - * **Periodic session duration** : The maximum time period before a contact center user is authenticated. Default = 60 minutes. This option can be configured to a different value between 10 - 60. + * **Session inactivity duration:** : This value represents the period before an agent is automatically signed out of the contact center when they go inactive. + + + + +By default, users in your Amazon Connect instance remain signed in until the maximum session duration of 12 hours elapses, with no automatic logout for inactivity. However, organizations with stricter security and compliance requirements can leverage authentication profiles to enable automatic sign-out when users become inactive. Once enabled, this feature monitors user activity patterns and automatically ends sessions after the configured session inactivity duration has passed. + +A contact center user is considered active when performing any of the following actions: + + * Mouse and keyboard activity on the Contact Control Panel (CCP), Agent Workspace, or Admin Website + + * Presence of an active voice contact @@ -230 +243,0 @@ Amazon Connect uses a token-based authentication model. There are two session ti -###### Note @@ -232 +244,0 @@ Amazon Connect uses a token-based authentication model. There are two session ti -Although this setting defines the maximum interval of time that can pass before a user is authenticated, authentication may happen earlier in specific situations. For example, in the Amazon Connect admin website, authentication also happens whenever certain actions are performed, such as creating a user or changing a security profile. @@ -234 +245,0 @@ Although this setting defines the maximum interval of time that can pass before - * **Maximum session duration** : The maximum time period a contact center user can be logged in before being forced to sign-in again. Default = 12 hours; it cannot be configured to a different value. @@ -235,0 +247,14 @@ Although this setting defines the maximum interval of time that can pass before +If the user is determined to be inactive, a pop-up will appear on the screen warning the user that their session is about to expire due to inactivity. A user can choose to remain logged in or log out. + +To opt-in to automatic logout on user inactivity, perform the following API calls on an authentication profile in your instance using the Amazon Connect SDK. + + + aws connect update-authentication-profile + --instance-id <your-instance-id> + --profile-id <profile-id> + --session-inactivity-handling-enabled true + --session-inactivity-duration <minutes between 15 and 720> + +###### Note + +Customers who integrate their contact center with a third-party vendor (such as Salesforce Service Cloud Voice (SCV)) should should refer to the vendor documentation to determine if this feature is supported before enabling automatic log-outs on inactivity. @@ -236,0 +262 @@ Although this setting defines the maximum interval of time that can pass before +Customers who leverage AmazonConnectStreams or the AmazonConnectSDK to integrate their existing web applications with Amazon Connect must implement activity handling as part of their integration before enabling automatic log-out on user inactivity. See the AmazonConnectStreams or AmazonConnectSDK documentation for more information. @@ -237,0 +264 @@ Although this setting defines the maximum interval of time that can pass before +Automatic log-out on user inactivity is not supported when using Amazon Connect in a [Virtual Desktop Infrastructure (VDI) with a split CCP model](./using-ccp-vdi.html#use-split-ccp).