- 新しい順
- 投票が多い順
- コメントが多い順
When working with IAM Identity Center (formerly AWS SSO), there currently isn't a direct API method to programmatically terminate active sessions for permission sets specifically.
For IAM roles, you can programmatically revoke active sessions by attaching the AWSRevokeOlderSessions policy to the role, which denies access to users who assumed the role before a specific time. This can be done through the AWS CLI or SDK.
For SSM sessions, you can programmatically terminate them using the ssm:TerminateSession action. You can create policies that allow users to terminate their own sessions by using policy variables like ${aws:userid} in the resource element:
{
"Effect": "Allow",
"Action": "ssm:TerminateSession",
"Resource": "arn:aws:ssm:*:*:session/${aws:userid}-*"
}
For IAM Identity Center users, you would use ${aws:userid} instead of ${aws:username} in your policies, as the latter isn't available for federated users.
Regarding automation for removing disabled users and their permission sets, you could implement a solution using AWS Lambda that periodically checks for disabled users in IAM Identity Center and programmatically removes their permission set assignments. However, this doesn't directly terminate active sessions.
AWS hasn't announced when programmatic termination of active sessions for permission sets will be supported. For now, you'll need to rely on the UI for this specific functionality or implement workarounds using existing APIs.
Sources
Policy variable for IAM Identity Center user | AWS re:Post
Removal of user and permission sets | AWS re:Post
Revoke IAM role temporary security credentials - AWS Identity and Access Management
End a session - AWS Systems Manager
