Add Session Termination Feature for AWS SSO in boto3.
Closed this issue · 2 comments
Describe the feature
Introduce a functionality in boto3 that allows for AWS SSO sessions to be programmatically terminated. The proposed feature aims to address this by providing a method to force terminate active sessions.
Use Case
In scenarios where users are granted temporary elevated permissions, such as through tools like the AWS SSO Elevator, it's essential to revoke these permissions either after a specific duration or under particular conditions. However, even after revoking these permissions, if an SSOFallBack group exists for other AWS purposes (despite not having users, but having the same permission set linked to the account), the user's active session persists. This situation allows users to continue their operations until the session naturally concludes, presenting a potential security risk.
Proposed Solution
Introduce a new method in boto3, something like terminate_sso_session(), that accepts parameters like the user's SSO identity and forcefully ends their current AWS SSO session. This way, even if permissions are revoked, their session can be terminated immediately, ensuring no lingering access.
Other Information
While there are methods to revoke permissions, the absence of a session termination feature can undermine the security measures in place, especially in environments where temporary access is provided on-demand. By adding this feature, it will greatly enhance the security posture of applications and systems that rely on AWS SSO for temporary access.
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
SDK version used
Boto3 1.26.90
Environment details (OS name and version, etc.)
Lambda
Hi @EreminAnton thanks for the feature request, I see the value in what you're proposing. I found this related post that provides a workaround: https://aws.amazon.com/blogs/security/how-to-revoke-federated-users-active-aws-sessions/. I believe the steps listed there address your use case but let us know if there are any distinctions you want to note.
Boto3 clients like IdentityStore map to upstream API actions which are used across SDKs. Therefore we can forward feature requests involving APIs to the appropriate service team. If you have a support plan we recommend reaching out directly through AWS Support for more direct correspondence. Otherwise you can create an issue in our cross-SDK repository for further tracking.
Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.