More Info:

Ensure that all active sessions in the AWS Session Manager do not exceed the period of time set in the rule settings. Sessions that are active for longer than expected could be the result of suspicious activity. Session manager gives users the ability to open a shell into EC2 instances or execute commands on containers running in ECS.

Risk Level

High

Address

Security

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration of SSM Session Length Should Be Minimum in AWS using AWS console, you can follow the below steps:

  1. Login to your AWS console.
  2. Go to the AWS Systems Manager console.
  3. Click on the ‘Managed Instances’ option from the left navigation pane.
  4. Select the instance for which you want to remediate the misconfiguration.
  5. Click on the ‘Actions’ button and select ‘Edit Managed Instance Settings’.
  6. In the ‘Edit Managed Instance Settings’ page, scroll down to the ‘SSM Agent Settings’ section.
  7. In the ‘SSM Session Length’ field, enter the minimum session length you want to set.
  8. Click on the ‘Save Changes’ button.

Once you have followed the above steps, the SSM Session Length will be set to the minimum value you have specified. This will help you remediate the misconfiguration of SSM Session Length Should Be Minimum in AWS.

Using CLI

The SSM Session Length should be set to a minimum for security reasons. To remediate this for AWS using AWS CLI, follow these steps:

  1. Open the AWS CLI and run the following command to update the SSM Document:
aws ssm update-document --name "AWS-StartSSHSession" --content "{\"schemaVersion\":\"1.0\",\"description\":\"AWS Systems Manager document to start an SSH session to an instance\",\"parameters\":{\"portNumber\":{\"type\":\"String\",\"description\":\"The port number on which the SSH service is listening (usually 22)\",\"default\":\"22\"},\"sessionLength\":{\"type\":\"String\",\"description\":\"The duration of the session (in seconds)\",\"default\":\"3600\"}},\"mainSteps\":[{\"action\":\"aws:runShellScript\",\"name\":\"runShellScript\",\"inputs\":{\"runCommand\":[\"sudo sed -i 's/\\#   ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config\",\"sudo sed -i 's/\\#   ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config\",\"sudo service sshd restart\"]}}]}"

  1. This command will update the SSM Document with a new session length of 3600 seconds (1 hour). If you want to set a different session length, change the value of the sessionLength parameter in the command.

  2. After the SSM Document is updated, you can use it to start an SSH session to an instance with the new session length. To start an SSH session, run the following command:

aws ssm start-session --target instance-id --document-name AWS-StartSSHSession --parameters '{"portNumber":["22"],"sessionLength":["3600"]}'

  1. Replace instance-id with the ID of the instance you want to connect to.

  2. This command will start an SSH session with a session length of 3600 seconds (1 hour). If you want to set a different session length, change the value of the sessionLength parameter in the command.

  3. After the SSH session is started, you can use it to perform any necessary actions on the instance.

By following these steps, you can remediate the SSM Session Length misconfiguration in AWS.

Using Python

To remediate the misconfiguration of SSM session length being minimum in AWS using Python, you can follow the below steps:

  1. Open the AWS Management Console and navigate to the EC2 service.

  2. Select the instance for which you want to remediate the SSM session length.

  3. Click on the “Actions” button and select “Instance Settings” and then “Modify IAM Role”.

  4. In the “Modify IAM Role” window, select the IAM role that has the required permissions to modify the SSM session length.

  5. Once you have selected the IAM role, click on the “Save” button to save the changes.

  6. Now, open your Python IDE and import the required libraries.

import boto3
  1. Create a boto3 session object and specify the region where your instance is located.
session = boto3.Session(region_name='us-east-1')
  1. Create an SSM client object using the session object.
ssm_client = session.client('ssm')
  1. Use the modify_instance_information() method to modify the SSM session length.
response = ssm_client.modify_instance_information(
    InstanceId='instance-id',
    InstanceInformation={
        'SSMActivationId': 'activation-id',
        'SSMActivationCode': 'activation-code',
        'AgentVersion': 'LATEST',
        'PingStatus': 'Online',
        'PlatformType': 'Linux',
        'PlatformName': 'Amazon Linux AMI',
        'PlatformVersion': '2018.03',
        'HostName': 'ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com',
        'IPAddress': 'xx.xx.xxx.xxx',
        'ComputerName': 'ip-xx-xx-xxx-xxx',
        'AssociationStatus': 'Success',
        'LastAssociationExecutionDate': datetime(2019, 11, 22, 0, 0, tzinfo=tzlocal()),
        'LastSuccessfulAssociationExecutionDate': datetime(2019, 11, 22, 0, 0, tzinfo=tzlocal()),
        'AssociationOverview': {
            'DetailedStatus': 'Success',
            'InstanceAssociationStatusAggregatedCount': {
                'Failed': 0,
                'InProgress': 0,
                'Success': 1,
                'TimedOut': 0,
                'NoStatus': 0
            }
        }
    },
    DesiredInstanceInformation={
        'SsmSessionDurationSeconds': 3600
    }
)

  1. In the above code, replace the ‘instance-id’ with the ID of your instance and ‘activation-id’ and ‘activation-code’ with the activation ID and activation code of your SSM agent.

  2. Also, modify the ‘SsmSessionDurationSeconds’ according to your requirement.

Once you execute the above code, it will remediate the SSM session length misconfiguration for your AWS instance.

Additional Reading: