Search

US-12625941-B1 - Invalidating AWS temporary role assumption access credentials using session policies and session tags

US12625941B1US 12625941 B1US12625941 B1US 12625941B1US-12625941-B1

Abstract

An Amazon Web Services (AWS) temporary role assumption access credentials invalidation system and process for invalidating AWS temporary role assumption access credentials using session policies and session tags are disclosed. The AWS temporary role assumption access credentials invalidation system is configured to revoke the temporary credentials associated with an AWS temporary role which a user no longer needs and also ensure that a confused user does not inadvertently use an incorrect set of temporary credentials. By invalidating AWS temporary role assumption access credentials using session policies and session tags, inadvertently assumed credentials can also be immediately invalidated. Furthermore, the AWS temporary role assumption access credentials invalidation system revokes temporary credentials when a user is finished with them. This ability to immediately invalidate any issued credential provides a much more secure environment for an organization.

Inventors

  • Artyom Poghosyan
  • Sameer Hiremath

Assignees

  • Artyom Poghosyan
  • Sameer Hiremath

Dates

Publication Date
20260512
Application Date
20240425

Claims (15)

  1. 1 . A temporary role assumption access credential invalidation system operating in an Amazon Web Services (AWS) environment, the system comprising one or more processors and one or more non-transitory memories storing instructions that, when executed by the one or more processors, cause a credential management platform to: receive an authenticated request from an authenticated end user to access a particular AWS service; generate a role assumption request for an identity and access management (IAM) role associated with an IAM managed policy, the role assumption request including a session policy comprising a managed session policy, an inline session policy, and a session tag containing a session identifier corresponding to a session connection; transmit the role assumption request to AWS and receive temporary security credentials issued by said AWS for the IAM role, the temporary security credentials having a defined validity time; associate the temporary security credentials with a user profile corresponding to the authenticated end user; store the temporary security credentials within a user-specific credential vault accessible to the authenticated end user during performance of a task involving the particular AWS service; manage the session connection using a profile checkout module configured to initiate access to the IAM role and a profile check-in module configured to terminate access associated with the user profile; and responsive to receipt of a profile check-in event processed by the profile check-in module indicating completion of the task, modify the IAM managed policy independently of expiration of the validity time by introducing a deny authorization condition referencing the session identifier such that authorization associated with the temporary security credentials is invalidated prior to expiration of the validity time.
  2. 2 . The system of claim 1 , wherein the credential management platform manages a session connection established using the temporary security credentials for the IAM role after issuance of the temporary security credentials.
  3. 3 . The system of claim 2 , wherein the session identifier uniquely identifies the session connection associated with the authenticated end user.
  4. 4 . The system of claim 3 , wherein an administrator defines the validity time associated with issuance of the temporary security credentials.
  5. 5 . The system of claim 4 , wherein the temporary security credentials remain cryptographically valid after the profile check-in event while access authorization is denied as a result of modification of the IAM managed policy.
  6. 6 . The system of claim 5 , wherein the profile check-in module is configured to invalidate authorization associated with the temporary security credentials responsive to a request to check in the user profile after completion of the task.
  7. 7 . The system of claim 6 , wherein the profile check-in module modifies the IAM managed policy to introduce the deny authorization condition referencing the session identifier.
  8. 8 . The system of claim 7 , wherein the profile check-in module updates the session tag associated with the session identifier as part of the modification of the IAM managed policy.
  9. 9 . The system of claim 8 , wherein the credential management platform is configured to conditionally create the managed session policy and the inline session policy contemporaneously with issuing the temporary security credentials for the IAM role.
  10. 10 . The system of claim 7 , wherein the modification of the IAM managed policy ensures that access to the temporary security credentials is denied to an authenticated end user after the IAM managed policy is modified.
  11. 11 . The system of claim 1 , wherein a second session tag containing a second session identifier different from the session identifier uniquely identifies a second session connection of a second authenticated end user to AWS after AWS issues temporary security credentials for the IAM role to the second authenticated end user for completion of a second task.
  12. 12 . The system of claim 1 , wherein the IAM managed policy is dynamically created upon a first request to checkout a particular profile associated with the IAM role.
  13. 13 . The system of claim 1 , wherein the credential management platform is configured to vault the temporary security credentials in a user specific vault associated with the authenticated end user.
  14. 14 . The system of claim 13 , wherein vaulting the temporary credentials in the user specific vault enables the authenticated user to use the temporary credentials to complete the task at a future time.
  15. 15 . The system of claim 1 , wherein the particular AWS service is associated with a particular AWS account and the authenticated end user has permissions to access the particular AWS service via the particular AWS account.

Description

CLAIM OF BENEFIT TO PRIOR APPLICATION This application claims benefit to U.S. Provisional Patent Application 63/461,793, entitled “Invalidating AWS Temporary Role Assumption Credentials using Session Policies and Session Tags,” filed Apr. 25, 2023. The U.S. Provisional Patent Application 63/461,793 is incorporated herein by reference. BACKGROUND Embodiments of the invention described in this specification relate generally to user/role access credentials management, and more particularly, to an AWS temporary role assumption access credentials invalidation system and a process for invalidating AWS temporary role assumption access credentials using session policies and session tags. Amazon Web Services® (AWS®) provides a role assumption mechanism to provide users and services with temporary access to resources to accomplish various tasks. However, AWS does not provide a targeted mechanism to invalidate such temporary access upon request or after task completion. Specifically, AWS documentation states that it is not possible to perform targeted invalidation of temporary credentials upon request. At present, there are no existing systems, methods, or mechanisms that solve this problem. In fact, all of the existing systems, methods, or mechanisms addressing this issue impact more than just the individual session being targeted. Notably, for any given Identity and Access Management (IAM) role, an administrator can set the time period of validity (“validity time”) for the set of temporary credentials of the IAM role but cannot invalidate the given set of credentials before the validity time period expires without taking drastic measures that impact all users and services who may be using temporary credentials for the given IAM role. Consequently, to remove access for the user or service, the administrator would have to wait for the temporary credentials of the IAM role to naturally expire at the end of the validity time period. This is problematic for organizations because there is often a time lag until natural expiration of the credentials occurs. This presents a window in which the user or service continues to have the access even though such access is no longer needed by the user or service. In terms of security, most organizations would recognize this window as a vulnerability. Therefore, what is needed is a way to immediately invalidate any issued access credentials, thereby providing a much more secure environment for the organization. BRIEF DESCRIPTION A novel AWS temporary role assumption access credentials invalidation system and process for invalidating AWS temporary role assumption access credentials using session policies and session tags are disclosed. In some embodiments, the AWS temporary role assumption access credentials invalidation system is configured to revoke the temporary credentials associated with an AWS temporary role which a user no longer needed and also ensure that a confused user does not inadvertently use an incorrect set of temporary credentials. For example, a user may inadvertently assume temporary production credentials when the user actually needs temporary development credentials. By invalidating AWS temporary role assumption access credentials using session policies and session tags, however, the inadvertently assumed credentials can be immediately invalidated. Furthermore, the AWS temporary role assumption access credentials invalidation system is configured to revoke temporary credentials when a user is finished. For instance, a user who correctly assumed the AWS temporary credentials for a development role (as intended) can utilize the temporary development credentials until no longer needed, at which point the AWS temporary role assumption access credentials invalidation system uses session policies and session tags to invalidate the credentials upon completion. This ability to immediately invalidate any issued credential provides a much more secure environment for an organization. In some embodiments, the AWS temporary role assumption access credentials invalidation system comprises (i) an IAM managed policy configured for dynamic issuance of temporary credentials for an authenticated end user to perform a task that involves interaction with a particular service on AWS through a particular AWS account, (ii) an IAM role for which the temporary credentials are issued and which enables the authenticated end user to perform the task directly and seamlessly connected, over a session, to the particular service on AWS through the AWS account, (iii) a sessions policy and session tag file listing a managed session policy, an inline session policy, and a session tag, and (iv) a platform between the authenticated end user and AWS that is configured to authenticate the authenticated end user upon login and perform both issuance of the temporary credentials, upon request to checkout a profile by the authenticated end user, and revocation of the temporary credentials, upon a request to