Add Method to Programmatically Terminate AWS SSO Sessions
Closed this issue ยท 10 comments
Title:
Description:
Request the addition of a method in boto3 to forcefully terminate active AWS SSO sessions. This capability is already available in the AWS Console, but an API method is needed for programmatic access. This feature is particularly crucial for scenarios where users are temporarily granted elevated permissions, like with tools such as AWS SSO Elevator.
Use Case:
Currently, even after permissions are revoked, an active session can persist if an SSOFallBack group is present for other AWS purposes, even if it doesn't contain users but has the same permission set linked to the account. This allows users to maintain operations until the session ends naturally, posing a security risk.
Suggest adding a method, e.g., terminate_sso_session(), that takes parameters like the user's SSO identity to end their AWS SSO session immediately. This ensures that when permissions are revoked, there's no lingering access due to active sessions.
While there are methods to revoke permissions, the lack of a session termination feature in the API can compromise security, particularly when temporary access is granted on-demand. This enhancement would significantly bolster the security of systems relying on AWS SSO for temporary access.
Hello @EreminAnton ,
Thank you very much for your submission. It seems that your feature request was intended for : https://github.com/boto/boto3 or is this a submission made as an overall feature request for all AWS SDKs?
If this feature request was intended for the boto3 repository you can open an issue here.
Best regards,
Yasmine
Hello, and thank you for your response! Initially, I created an issue in the Python boto3 repository because I wanted to request a specific feature. However, I was rerouted to this repository. From what I understand, the feature I'm requesting isn't available in the overall AWS SDK, which is why I was directed here.
Old issue in boto3 repo
Hello @EreminAnton ,
Thank you very much for your quick response and for providing the link to the original issue. I'll follow up with the service team internally to ask for this feature. Quick check, I was wondering if the workaround offered by my colleague is able to cover your use case until this gets resolved?
Thank you very much again for reaching out. We really appreciate your feedback and contribution to improving the AWS SDKs.
Best regards,
Yasmine
D98540627
Hi again, @yasminetalby! I've looked into this workaround, and it seems like it would work. However, it appears to be too overwhelming to implement during a critical moment of a security breach. If you're not familiar with IAM/SCP/CloudTrail, it could take around 20-30 minutes to understand what to do and how to do it. It would be really helpful if there were API call or a big red button for "BLOCK, DELETE."
Hello @EreminAnton ,
Thank you very much for your feedback. I'll pass it along to the SSO team as well. I have created a feature request for them and will be tracking it. I will post here once I get an update from them.
Best regards,
Yasmine
Reached out to service team for update. Awaiting response.
Reached out to service team requesting for an update.
We have created a product feature request with service team to add support in service API to terminate SSO sessions. At this point, we do not have an ETA on when it would be implemented. It's in their queue and should be reviewed based on priority with other items.
This issue is now closed.
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.