Ensure that all active sessions in the AWS Session Manager do not exceed the period of time set in the rule settings. Sessions that are active for longer than expected could be the result of suspicious activity. Session manager gives users the ability to open a shell into EC2 instances or execute commands on containers running in ECS.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
The session manager gives users the ability to either open a shell in a EC2 instance or execute commands in a ECS task. This can be useful for when debugging issues in a container or instance. However, long lived sessions that have not been terminated present a risk as an attacker that has access to that computer running this session will have access to that instance or container. Additionally, a long lived session might indicate suspicious activity due to the session being for longer than reasonability required.
Audit
Remediation / Resolution
References
- AWS Documentation
- AWS Systems Manager FAQs
- AWS Command Line Interface (CLI) Documentation
- ssm
- describe-sessions
- terminate-session