Skip to content
This repository has been archived by the owner on Nov 5, 2024. It is now read-only.

Add Method to Programmatically Terminate AWS SSO Sessions #598

Closed
EreminAnton opened this issue Sep 6, 2023 · 10 comments
Closed

Add Method to Programmatically Terminate AWS SSO Sessions #598

EreminAnton opened this issue Sep 6, 2023 · 10 comments
Assignees
Labels
feature-request New feature or request service-api This issue pertains to the AWS API sso

Comments

@EreminAnton
Copy link

Title:

Description:
Request the addition of a method in boto3 to forcefully terminate active AWS SSO sessions. This capability is already available in the AWS Console, but an API method is needed for programmatic access. This feature is particularly crucial for scenarios where users are temporarily granted elevated permissions, like with tools such as AWS SSO Elevator.

Use Case:
Currently, even after permissions are revoked, an active session can persist if an SSOFallBack group is present for other AWS purposes, even if it doesn't contain users but has the same permission set linked to the account. This allows users to maintain operations until the session ends naturally, posing a security risk.

Suggest adding a method, e.g., terminate_sso_session(), that takes parameters like the user's SSO identity to end their AWS SSO session immediately. This ensures that when permissions are revoked, there's no lingering access due to active sessions.

While there are methods to revoke permissions, the lack of a session termination feature in the API can compromise security, particularly when temporary access is granted on-demand. This enhancement would significantly bolster the security of systems relying on AWS SSO for temporary access.

@yasminetalby
Copy link

Hello @EreminAnton ,

Thank you very much for your submission. It seems that your feature request was intended for : https://github.com/boto/boto3 or is this a submission made as an overall feature request for all AWS SDKs?

If this feature request was intended for the boto3 repository you can open an issue here.

Best regards,

Yasmine

@yasminetalby yasminetalby added feature-request New feature or request response-requested This issue requires a response to continue labels Sep 25, 2023
@EreminAnton
Copy link
Author

Hello, and thank you for your response! Initially, I created an issue in the Python boto3 repository because I wanted to request a specific feature. However, I was rerouted to this repository. From what I understand, the feature I'm requesting isn't available in the overall AWS SDK, which is why I was directed here.

Old issue in boto3 repo

@github-actions github-actions bot removed the response-requested This issue requires a response to continue label Sep 26, 2023
@yasminetalby
Copy link

Hello @EreminAnton ,

Thank you very much for your quick response and for providing the link to the original issue. I'll follow up with the service team internally to ask for this feature. Quick check, I was wondering if the workaround offered by my colleague is able to cover your use case until this gets resolved?

Thank you very much again for reaching out. We really appreciate your feedback and contribution to improving the AWS SDKs.
Best regards,

Yasmine

@yasminetalby
Copy link

D98540627

@yasminetalby yasminetalby added service-api This issue pertains to the AWS API sso labels Sep 26, 2023
@EreminAnton
Copy link
Author

Hi again, @yasminetalby! I've looked into this workaround, and it seems like it would work. However, it appears to be too overwhelming to implement during a critical moment of a security breach. If you're not familiar with IAM/SCP/CloudTrail, it could take around 20-30 minutes to understand what to do and how to do it. It would be really helpful if there were API call or a big red button for "BLOCK, DELETE."

@yasminetalby
Copy link

Hello @EreminAnton ,

Thank you very much for your feedback. I'll pass it along to the SSO team as well. I have created a feature request for them and will be tracking it. I will post here once I get an update from them.

Best regards,

Yasmine

@ashishdhingra
Copy link

Reached out to service team for update. Awaiting response.

@ashishdhingra
Copy link

Reached out to service team requesting for an update.

@ashishdhingra
Copy link

We have created a product feature request with service team to add support in service API to terminate SSO sessions. At this point, we do not have an ETA on when it would be implemented. It's in their queue and should be reviewed based on priority with other items.

Copy link

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
feature-request New feature or request service-api This issue pertains to the AWS API sso
Projects
None yet
Development

No branches or pull requests

3 participants