moellr
commented
1 year ago Hi, afaik DCE does not actively revoke the session credentials in its "cleanup" flow, so you are right, credentials may still be valid for a longer time, depending on your credential expiration settings. A possible way would be to actively revoke the session credentials (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html), but that would have to be implemented into the DCE project itself (https://github.com/Optum/dce), cannot be solved from here.
Hi, I'm not sure if this is correct behavior or it's only my setup but when the event is terminated and aws-nuke deletes all resources then in spite of that the actual user who assumed the DCEPrincipal-dce role can still have active credentials for hours and still can create resources and do things in that account which can bring problems because the aws-nuke already ran and cleaned everything.
The user will have revoked access after some time but in the meantime, he can still experiment, this account then may end up not being cleaned.
Is there a way to kick the user out of the account when the event is terminated or is there some problem with my setup?