avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3370

Abstract

 </div>
        </div>
      </a>
    </div><p id="c98c">I’ve been showing you how to create sessions and use MFA in prior posts but I should have written about this a long time ago. I am running a quick command and ending it. How long do you think that command should take? It depends on the command but likely not over a minute in most cases. If I compile a bunch of commands together perhaps it takes a bit longer.</p><p id="2c3c">Let’s say the longest a command will take is one minute but I can override that if I have something that takes longer.</p><p id="8b15">I can set the maximum length of a session using the assume-role command:</p><figure id="b049"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Czv-zS4CiELxZ3Sa20HL9Q.png"><figcaption></figcaption></figure><div id="5564" class="link-block">
      <a href="https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html?src=radichel">
        <div>
          <div>
            <h2>assume-role - AWS CLI 1.30.3 Command Reference</h2>
            <div><h3>Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These…</h3></div>
            <div><p>docs.aws.amazon.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div>
          </div>
        </div>
      </a>
    </div><p id="40aa">One minute is 60 seconds so I can add that to deployment script:</p><figure id="653d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*PpDUgYqeYXs6rjeyiDyXHQ.png"><figcaption></figcaption></figure><p id="6fc0">However, upon testing the minimum session length is 15 minutes or 900 seconds. Unfortunate. But we can end a session using the method I wrote about in another post.</p><div id="1d94" class="link-block">
      <a href="https://readmedium.com/how-to-end-an-active-aws-cli-assumed-role-session-960260f7ca73">
        <div>
          <div>
            <h2>How to End an Active AWS CLI Assumed Role Session</h2>
            <div><h3>ACM.371 They may or may not be in the credentials file and deleting a file or environment variables is not enough</h3></div>
            <div><p>medium.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*Xa4pMfR_XDIV14czCO57fA.png)"></div>
          </div>
        </div>
      </a>
    </div><p id="fde9">I can add that to my call to obtain short term (really short term!) credentials to deploy a resource:</p><figure id="7e2b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*LfMh04sVS-yNMHAVM1VQcA.png"><figcaption></figcaption></figure><p id="b6f4">Use with MFA for best protection as explained in prior posts.</p><div id="952b" class="link-block">
      <a href="https://readmedium.com/aws-iam-932d6a043b7">
        <div>
          <div>
            <h2>AWS IAM</h2>
            <div><h3>Stories on AWS IAM by Teri Radichel. The Code.</h3></div>
            <div><p>medium.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*CcF9nyBH9vzZbcH

Options

C3bhViA.png)"></div> </div> </div> </a> </div><p id="f709">I can incorporate a question at the top of the script to see if the user wants to override the session length:</p><figure id="247f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*gcOE763MGHQCYFxGUqvgMA.png"><figcaption></figcaption></figure><p id="3ea2">I added a function to validate the entry is numeric in my validation script:</p><figure id="a581"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4KOy0SLfOzjAUh1KhXWTow.png"><figcaption></figcaption></figure><p id="5ca9">The last thing I’ll mention is a feature request for AWS STS.</p><p id="7a87">I wish AWS STS had a describe-sessions or list-sessions command like they do for other services like SSM that would show all the active STS sessions in an organization, an account, or for as specific user or role. <i>#awswishlist</i></p><figure id="d10d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*GPdi6ctdZebiuYKs3MJCbA.png"><figcaption></figcaption></figure><div id="5a51" class="link-block"> <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/index.html?src=radichel"> <div> <div> <h2>sts - AWS CLI 2.13.38 Command Reference</h2> <div><h3>Security Token Service (STS) enables you to request temporary, limited-privilege credentials for users. This guide…</h3></div> <div><p>awscli.amazonaws.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="54d2">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="1e17"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="843d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Keeping Sessions Short With AWS Assume-Role

ACM.364 Deploying resources with a job that requires MFA in a container with a short-lived session

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Organizations. IAM. Deploying a Static Website

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’m inserting this post where I skipped a number earlier. Also, I should have written about it earlier :)

Prior post:

Next post:

I’m adding this to my deployment script in my container that requires MFA on each run to deploy resources:

I’ve been showing you how to create sessions and use MFA in prior posts but I should have written about this a long time ago. I am running a quick command and ending it. How long do you think that command should take? It depends on the command but likely not over a minute in most cases. If I compile a bunch of commands together perhaps it takes a bit longer.

Let’s say the longest a command will take is one minute but I can override that if I have something that takes longer.

I can set the maximum length of a session using the assume-role command:

One minute is 60 seconds so I can add that to deployment script:

However, upon testing the minimum session length is 15 minutes or 900 seconds. Unfortunate. But we can end a session using the method I wrote about in another post.

I can add that to my call to obtain short term (really short term!) credentials to deploy a resource:

Use with MFA for best protection as explained in prior posts.

I can incorporate a question at the top of the script to see if the user wants to override the session length:

I added a function to validate the entry is numeric in my validation script:

The last thing I’ll mention is a feature request for AWS STS.

I wish AWS STS had a describe-sessions or list-sessions command like they do for other services like SSM that would show all the active STS sessions in an organization, an account, or for as specific user or role. #awswishlist

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
AWS
Cloud
Security
Session
Assume Role
Recommended from ReadMedium