By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to revoke Systems Manager aws_session_token

0

Hi,

I have a bunch of edge devices I mange through Systems Manager, which I install through Green Grass. During the installation, an AWS user (ssm-iot-gg) is created and is assuming a role a defined. The user is creates with aws_access_key_id, aws_secret_access_key and a aws_session_token.

Is there a way to revoke this aws_session_token remotely in case the edge device gets compromised?

Best regards Lasse

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Resource Access ManagerAWS Systems ManagerSession Management
Language
English
lasse_bonner
asked 9 months ago432 views
3 Answers
1
Accepted Answer

You can revoke the session permissions from a role by following the below document.

[+] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html?icmpid=docs_iam_console#revoke-session

AWS
Makendran G
answered 9 months ago
  • lasse_bonner
    9 months ago

    Thanks. Yes, I saw this, but this is for all assumed roles after a given time. This might be the only solution, but I was hoping for a way to revoke a single session for a single compromised device.

0

Hi there,

Yes, there is a way to revoke the AWS session token remotely in case the edge device gets compromised. You can use the AWS STS API to revoke the session token. The following steps show how to do this:

Go to the AWS Management Console and sign in to your account. Click on the Services tab and select IAM. In the Users section, click on the name of the user whose session token you want to revoke. On the user's details page, scroll down to the Session Credentials section. Click on the Revoke Session Token button. In the confirmation dialog box, click on the Revoke button. The AWS STS API will revoke the session token and the edge device will no longer be able to access AWS resources using that token.

Here is the AWS STS API command to revoke the session token:

aws sts revoke-session-token --session-token <session_token> Replace <session_token> with the actual session token.

You can also use the AWS CLI to revoke the session token. The following command shows how to do this:

aws sts revoke-session-token --session-token <session_token> Replace <session_token> with the actual session token.

Once you have revoked the session token, the edge device will no longer be able to access AWS resources using that token. You can then re-install the edge device and create a new session token.

profile picture
Pedro Correia
answered 9 months ago
  • lasse_bonner
    9 months ago

    Ok thanks. I tried looking for a way to do this. But the problem is that the session token is not connected to a user, but to a assumed role. Under the role in AIM I cannot see the generated tokens and thus not revoke them.

0

Follow that Post https://repost.aws/questions/QUWnFu8OxhSNulq-Vu70bAcQ/aws-cli-sts-logout and delete credentials. And other thing you could do is reduce the time off the activation role and maybe in the user that are using that permisión you could disable that capavility with a deny all

Judith
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content