Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SSM Session Length

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (should be achieved)
Rule ID: SSM-002

Ensure that all active sessions in the AWS Session Manager do not exceed the period of time set in the rule settings. Sessions that are active for longer than expected could be the result of suspicious activity. Session manager gives users the ability to open a shell into EC2 instances or execute commands on containers running in ECS.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The session manager gives users the ability to either open a shell in a EC2 instance or execute commands in a ECS task. This can be useful for when debugging issues in a container or instance. However, long lived sessions that have not been terminated present a risk as an attacker that has access to that computer running this session will have access to that instance or container. Additionally, a long lived session might indicate suspicious activity due to the session being for longer than reasonability required.

Audit

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Systems Manager dashboard at https://console.aws.amazon.com/systems-manager/.

03 In the left navigation panel, choose Session Manager.

04 Choose Start Session.

05 Choose the Sessions Tab.

06 A list of active sessions will be displayed. Analyse the Start Date column to determine if the session length is longer than what is determined to be reasonable.

Using AWS CLI

01 Run describe-sessions command (OSX/Linux/UNIX) using custom query filters to list the start times of all the active session in that region: 

aws ssm describe-sessions \
--region us-west-2 \
--state Active \
--output table \
--query 'Sessions[*].[StartDate, SessionId]'

02 The command output should return a table with the requested identifiers: 

----------------------------------------------------------
|                    DescribeSessions                    |
+--------------------------------------------------------+
|  ecs-execute-command-0df6d470628a83e21 | 1613546220.56 |
|  ecs-execute-command-0e84f57a6fda98b73 | 1613541828.06 |
+--------------------------------------------------------+

03 For each session the date command (OSX/Linux/UNIX) can be used to give a human readable start date 

date -r 1613546220

04 The command output should return a human readable time of when the session started. 

Wed 17 Feb 2021 18:17:00 AEDT

Remediation / Resolution

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Systems Manager dashboard at https://console.aws.amazon.com/systems-manager/.

03 In the left navigation panel, choose Session Manager.

04 Choose Start Session.

05 Choose the Sessions Tab

06 A list of active sessions will be displayed. Analyse the Start Date column to determine if the session length is longer than what is determined to be reasonable.

07 To terminate the session click the session checkbox, then click the Terminate Session button. This will immediately terminate the session.

Using AWS CLI

01 Run describe-sessions command (OSX/Linux/UNIX) using custom query filters to list the start times of all the active session in that region: 

aws ssm describe-sessions \
--region us-west-2 \
--state Active \
--output table \
--query 'Sessions[*].[StartDate, SessionId]'

02 The command output should return a table with the requested identifiers: 

----------------------------------------------------------
|                     DescribeSessions                   |
+----------------------------------------+---------------+
|  ecs-execute-command-0df6d470628a83e21 | 1613546220.56 |
|  ecs-execute-command-0e84f57a6fda98b73 | 1613541828.06 |
+----------------------------------------+---------------+

03 For each session the date command (OSX/Linux/UNIX) can be used to give a human readable start date 

date -r 1613546220

04 The command output should return a human readable time of when the session started. 

Wed 17 Feb 2021 18:17:00 AEDT

05 To terminate a choose session, the terminate-session command (OSX/Linux/UNIX) with the session ID can be used: 

aws ssm terminate-session \
--region us-west-2 \
--session-id  ecs-execute-command-0df6d470628a83e21

References

Publication date Feb 19, 2021

Related SSM rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

SSM Session Length

Risk Level: High