SSM Session Length Should Be Minimum

More Info:

Ensure that all active sessions in the AWS Session Manager do not exceed the period of time set in the rule settings. Sessions that are active for longer than expected could be the result of suspicious activity. Session manager gives users the ability to open a shell into EC2 instances or execute commands on containers running in ECS.

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

The SSM Session Length should be set to a minimum for security reasons. To remediate this for AWS using AWS CLI, follow these steps:

Open the AWS CLI and run the following command to update the SSM Document:

aws ssm update-document --name "AWS-StartSSHSession" --content "{\"schemaVersion\":\"1.0\",\"description\":\"AWS Systems Manager document to start an SSH session to an instance\",\"parameters\":{\"portNumber\":{\"type\":\"String\",\"description\":\"The port number on which the SSH service is listening (usually 22)\",\"default\":\"22\"},\"sessionLength\":{\"type\":\"String\",\"description\":\"The duration of the session (in seconds)\",\"default\":\"3600\"}},\"mainSteps\":[{\"action\":\"aws:runShellScript\",\"name\":\"runShellScript\",\"inputs\":{\"runCommand\":[\"sudo sed -i 's/\\#   ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config\",\"sudo sed -i 's/\\#   ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config\",\"sudo service sshd restart\"]}}]}"

This command will update the SSM Document with a new session length of 3600 seconds (1 hour). If you want to set a different session length, change the value of the sessionLength parameter in the command.
After the SSM Document is updated, you can use it to start an SSH session to an instance with the new session length. To start an SSH session, run the following command:

aws ssm start-session --target instance-id --document-name AWS-StartSSHSession --parameters '{"portNumber":["22"],"sessionLength":["3600"]}'

Replace instance-id with the ID of the instance you want to connect to.
This command will start an SSH session with a session length of 3600 seconds (1 hour). If you want to set a different session length, change the value of the sessionLength parameter in the command.
After the SSH session is started, you can use it to perform any necessary actions on the instance.

By following these steps, you can remediate the SSM Session Length misconfiguration in AWS.

Using Python

To remediate the misconfiguration of SSM session length being minimum in AWS using Python, you can follow the below steps:

Open the AWS Management Console and navigate to the EC2 service.
Select the instance for which you want to remediate the SSM session length.
Click on the “Actions” button and select “Instance Settings” and then “Modify IAM Role”.
In the “Modify IAM Role” window, select the IAM role that has the required permissions to modify the SSM session length.
Once you have selected the IAM role, click on the “Save” button to save the changes.
Now, open your Python IDE and import the required libraries.

import boto3

Create a boto3 session object and specify the region where your instance is located.

session = boto3.Session(region_name='us-east-1')

Create an SSM client object using the session object.

ssm_client = session.client('ssm')

Use the modify_instance_information() method to modify the SSM session length.

response = ssm_client.modify_instance_information(
    InstanceId='instance-id',
    InstanceInformation={
        'SSMActivationId': 'activation-id',
        'SSMActivationCode': 'activation-code',
        'AgentVersion': 'LATEST',
        'PingStatus': 'Online',
        'PlatformType': 'Linux',
        'PlatformName': 'Amazon Linux AMI',
        'PlatformVersion': '2018.03',
        'HostName': 'ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com',
        'IPAddress': 'xx.xx.xxx.xxx',
        'ComputerName': 'ip-xx-xx-xxx-xxx',
        'AssociationStatus': 'Success',
        'LastAssociationExecutionDate': datetime(2019, 11, 22, 0, 0, tzinfo=tzlocal()),
        'LastSuccessfulAssociationExecutionDate': datetime(2019, 11, 22, 0, 0, tzinfo=tzlocal()),
        'AssociationOverview': {
            'DetailedStatus': 'Success',
            'InstanceAssociationStatusAggregatedCount': {
                'Failed': 0,
                'InProgress': 0,
                'Success': 1,
                'TimedOut': 0,
                'NoStatus': 0
            }
        }
    },
    DesiredInstanceInformation={
        'SsmSessionDurationSeconds': 3600
    }
)

In the above code, replace the ‘instance-id’ with the ID of your instance and ‘activation-id’ and ‘activation-code’ with the activation ID and activation code of your SSM agent.
Also, modify the ‘SsmSessionDurationSeconds’ according to your requirement.

Once you execute the above code, it will remediate the SSM session length misconfiguration for your AWS instance.

Additional Reading:

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-timeout.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

SSM Session Length Should Be Minimum

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: