Open EreminAnton opened 10 months ago
yasminetalby
commented
9 months ago Hello @EreminAnton ,
Thank you very much for your submission. It seems that your feature request was intended for : https://github.com/boto/boto3 or is this a submission made as an overall feature request for all AWS SDKs?
If this feature request was intended for the boto3 repository you can open an issue here.
Best regards,
Yasmine
EreminAnton
commented
9 months ago Hello, and thank you for your response! Initially, I created an issue in the Python boto3 repository because I wanted to request a specific feature. However, I was rerouted to this repository. From what I understand, the feature I'm requesting isn't available in the overall AWS SDK, which is why I was directed here.
Old issue in boto3 repo
yasminetalby
commented
9 months ago Hello @EreminAnton ,
Thank you very much for your quick response and for providing the link to the original issue. I'll follow up with the service team internally to ask for this feature. Quick check, I was wondering if the workaround offered by my colleague is able to cover your use case until this gets resolved?
Thank you very much again for reaching out. We really appreciate your feedback and contribution to improving the AWS SDKs. Best regards,
Yasmine
yasminetalby
commented
9 months ago D98540627
EreminAnton
commented
9 months ago Hi again, @yasminetalby! I've looked into this workaround, and it seems like it would work. However, it appears to be too overwhelming to implement during a critical moment of a security breach. If you're not familiar with IAM/SCP/CloudTrail, it could take around 20-30 minutes to understand what to do and how to do it. It would be really helpful if there were API call or a big red button for "BLOCK, DELETE."
yasminetalby
commented
9 months ago Hello @EreminAnton ,
Thank you very much for your feedback. I'll pass it along to the SSO team as well. I have created a feature request for them and will be tracking it. I will post here once I get an update from them.
Best regards,
Yasmine
ashishdhingra
commented
3 months ago Reached out to service team for update. Awaiting response.
ashishdhingra
commented
2 months ago Reached out to service team requesting for an update.
Title:
Description: Request the addition of a method in boto3 to forcefully terminate active AWS SSO sessions. This capability is already available in the AWS Console, but an API method is needed for programmatic access. This feature is particularly crucial for scenarios where users are temporarily granted elevated permissions, like with tools such as AWS SSO Elevator.
Use Case: Currently, even after permissions are revoked, an active session can persist if an SSOFallBack group is present for other AWS purposes, even if it doesn't contain users but has the same permission set linked to the account. This allows users to maintain operations until the session ends naturally, posing a security risk.
Suggest adding a method, e.g., terminate_sso_session(), that takes parameters like the user's SSO identity to end their AWS SSO session immediately. This ensures that when permissions are revoked, there's no lingering access due to active sessions.
While there are methods to revoke permissions, the lack of a session termination feature in the API can compromise security, particularly when temporary access is granted on-demand. This enhancement would significantly bolster the security of systems relying on AWS SSO for temporary access.