AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
SSM Session Length Should Be Minimum
More Info:
Ensure that all active sessions in the AWS Session Manager do not exceed the period of time set in the rule settings. Sessions that are active for longer than expected could be the result of suspicious activity. Session manager gives users the ability to open a shell into EC2 instances or execute commands on containers running in ECS.
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of SSM Session Length Should Be Minimum in AWS using AWS console, you can follow the below steps:
- Login to your AWS console.
- Go to the AWS Systems Manager console.
- Click on the ‘Managed Instances’ option from the left navigation pane.
- Select the instance for which you want to remediate the misconfiguration.
- Click on the ‘Actions’ button and select ‘Edit Managed Instance Settings’.
- In the ‘Edit Managed Instance Settings’ page, scroll down to the ‘SSM Agent Settings’ section.
- In the ‘SSM Session Length’ field, enter the minimum session length you want to set.
- Click on the ‘Save Changes’ button.
Once you have followed the above steps, the SSM Session Length will be set to the minimum value you have specified. This will help you remediate the misconfiguration of SSM Session Length Should Be Minimum in AWS.
The SSM Session Length should be set to a minimum for security reasons. To remediate this for AWS using AWS CLI, follow these steps:
- Open the AWS CLI and run the following command to update the SSM Document:
aws ssm update-document --name "AWS-StartSSHSession" --content "{\"schemaVersion\":\"1.0\",\"description\":\"AWS Systems Manager document to start an SSH session to an instance\",\"parameters\":{\"portNumber\":{\"type\":\"String\",\"description\":\"The port number on which the SSH service is listening (usually 22)\",\"default\":\"22\"},\"sessionLength\":{\"type\":\"String\",\"description\":\"The duration of the session (in seconds)\",\"default\":\"3600\"}},\"mainSteps\":[{\"action\":\"aws:runShellScript\",\"name\":\"runShellScript\",\"inputs\":{\"runCommand\":[\"sudo sed -i 's/\\# ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config\",\"sudo sed -i 's/\\# ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config\",\"sudo service sshd restart\"]}}]}"
-
This command will update the SSM Document with a new session length of 3600 seconds (1 hour). If you want to set a different session length, change the value of the
sessionLengthparameter in the command. -
After the SSM Document is updated, you can use it to start an SSH session to an instance with the new session length. To start an SSH session, run the following command:
aws ssm start-session --target instance-id --document-name AWS-StartSSHSession --parameters '{"portNumber":["22"],"sessionLength":["3600"]}'
-
Replace
instance-idwith the ID of the instance you want to connect to. -
This command will start an SSH session with a session length of 3600 seconds (1 hour). If you want to set a different session length, change the value of the
sessionLengthparameter in the command. -
After the SSH session is started, you can use it to perform any necessary actions on the instance.
By following these steps, you can remediate the SSM Session Length misconfiguration in AWS.
To remediate the misconfiguration of SSM session length being minimum in AWS using Python, you can follow the below steps:
-
Open the AWS Management Console and navigate to the EC2 service.
-
Select the instance for which you want to remediate the SSM session length.
-
Click on the “Actions” button and select “Instance Settings” and then “Modify IAM Role”.
-
In the “Modify IAM Role” window, select the IAM role that has the required permissions to modify the SSM session length.
-
Once you have selected the IAM role, click on the “Save” button to save the changes.
-
Now, open your Python IDE and import the required libraries.
import boto3
- Create a boto3 session object and specify the region where your instance is located.
session = boto3.Session(region_name='us-east-1')
- Create an SSM client object using the session object.
ssm_client = session.client('ssm')
- Use the modify_instance_information() method to modify the SSM session length.
response = ssm_client.modify_instance_information(
InstanceId='instance-id',
InstanceInformation={
'SSMActivationId': 'activation-id',
'SSMActivationCode': 'activation-code',
'AgentVersion': 'LATEST',
'PingStatus': 'Online',
'PlatformType': 'Linux',
'PlatformName': 'Amazon Linux AMI',
'PlatformVersion': '2018.03',
'HostName': 'ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com',
'IPAddress': 'xx.xx.xxx.xxx',
'ComputerName': 'ip-xx-xx-xxx-xxx',
'AssociationStatus': 'Success',
'LastAssociationExecutionDate': datetime(2019, 11, 22, 0, 0, tzinfo=tzlocal()),
'LastSuccessfulAssociationExecutionDate': datetime(2019, 11, 22, 0, 0, tzinfo=tzlocal()),
'AssociationOverview': {
'DetailedStatus': 'Success',
'InstanceAssociationStatusAggregatedCount': {
'Failed': 0,
'InProgress': 0,
'Success': 1,
'TimedOut': 0,
'NoStatus': 0
}
}
},
DesiredInstanceInformation={
'SsmSessionDurationSeconds': 3600
}
)
-
In the above code, replace the ‘instance-id’ with the ID of your instance and ‘activation-id’ and ‘activation-code’ with the activation ID and activation code of your SSM agent.
-
Also, modify the ‘SsmSessionDurationSeconds’ according to your requirement.
Once you execute the above code, it will remediate the SSM session length misconfiguration for your AWS instance.