# Configure permission set properties In IAM Identity Center, administrators can complete the following configuration and management tasks to control user access and session duration. | Task | Learn more | | --- | --- | | Administrators can set the maximum duration for user sessions when accessing AWS resources through IAM Identity Center. | [Set session duration for AWS accounts](howtosessionduration.md) | | Administrators can customize the landing page users see after successfully authenticating through IAM Identity Center. | [Set relay state for quick access to the AWS Management Console](howtopermrelaystate.md) | | Ensure users no longer have access to AWS resources when their permissions are revoked. | [Use a Deny policy to revoke active user permissions](prereqs-revoking-user-permissions.md) | # Set session duration for AWS accounts For each [permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html), you can specify a session duration to control the length of time that a user can be signed in to an AWS account. When the specified duration elapses, AWS signs the user out of the session. When you create a new permission set, the session duration is set to 1 hour (in seconds) by default. The minimum session duration is 1 hour, and can be set to a maximum of 12 hours. IAM Identity Center automatically creates IAM roles in each assigned account for each permission set, and configures these roles with a maximum session duration of 12 hours. When users federate into their AWS account console or when the AWS Command Line Interface (AWS CLI) is used, IAM Identity Center uses the session duration setting on the permission set to control the duration of the session. By default, IAM roles generated by IAM Identity Center for permission sets can only be assumed by IAM Identity Center users, which ensures that the session duration specified in the IAM Identity Center permission set is enforced. **Important** As a security best practice, we recommend that you do not set the session duration length longer than is needed to perform the role. After you create a permission set, you can update it to apply a new session duration. Use the following procedure to modify the session duration length for a permission set. **To set the session duration** 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Under **Multi-account permissions**, choose **Permission sets**. 1. Choose the name of the permission set for which you want to change the session duration. 1. On the details page for the permission set, to the right of the **General settings** section heading, choose **Edit**. 1. On the **Edit general permission set settings** page, choose a new value for **Session duration**. 1. If the permission set is provisioned in any AWS accounts, the names of the accounts appear under **AWS accounts to reprovision automatically**. After the session duration value for the permission set is updated, all AWS accounts that use the permission set are reprovisioned. This means that the new value for this setting is applied to all AWS accounts that use the permission set. 1. Choose **Save changes**. 1. At the top of the **AWS accounts** page, a notification appears. + If the permission set is provisioned in one or more AWS accounts, the notification confirms that the AWS accounts were reprovisioned successfully, and the updated permission set was applied to the accounts. + If the permission set isn't provisioned in an AWS account, the notification confirms that the settings for the permission set were updated. # Set relay state for quick access to the AWS Management Console Set relay state By default, when a user signs into the AWS access portal, chooses an account, and then chooses the role that AWS creates from the assigned permission set, IAM Identity Center redirects the user’s browser to the AWS Management Console. You can change this behavior by setting the relay state to a different console URL. Setting the relay state enables you to provide the user with quick access to the console that is most appropriate for their role. For example, you can set the relay state to the Amazon EC2 console URL (**https://console.aws.amazon.com/ec2/**) to redirect the user to that console when they choose the Amazon EC2 administrator role. During the redirection to the default URL or relay state URL, IAM Identity Center routes the user’s browser to the console endpoint in the last AWS Region used by the user. For example, if a user ended their last console session in the Europe (Stockholm) Region (eu-north-1), the user is redirected to the Amazon EC2 console in that Region. ![\[Workflow diagram for setting relay state in the AWS Management Console.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/permission_sets_relay_state_newest.png) To configure IAM Identity Center to redirect the user to a console in a specific AWS Region, include the Region specification as part of the URL. For example, to redirect the user to the Amazon EC2 console in the US East (Ohio) Region (us-east-2), specify the URL for the Amazon EC2 console in that Region (**https://us-east-2.console.aws.amazon.com/ec2/**). If you enabled IAM Identity Center in the US West (Oregon) Region (us-west-2) Region and you want to direct the user to that Region, specify **https://us-west-2.console.aws.amazon.com**. ## Configure the relay state Use the following procedure to configure the relay state URL for a permission set. 1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon). 1. Under **Multi-account permissions**, choose **Permission sets**. 1. Choose the name of the permission set for which you want to set the new relay state URL. 1. On the details page for the permission set, to the right of the **General settings** section heading, choose **Edit**. 1. On the **Edit general permission set settings** page, under **Relay state**, type a console URL for any of the AWS services. For example: **https://console.aws.amazon.com/ec2/** **Note** The relay state URL must be within the AWS Management Console. 1. If the permission set is provisioned in any AWS accounts, the names of the accounts appear under **AWS accounts to reprovision automatically**. After the relay state URL for the permission set is updated, all AWS accounts that use the permission set are reprovisioned. This means that the new value for this setting is applied to all AWS accounts that use the permission set. 1. Choose **Save changes**. 1. At the top of the **AWS Organization** page, a notification appears. + If the permission set is provisioned in one or more AWS accounts, the notification confirms that the AWS accounts were reprovisioned successfully, and the updated permission set was applied to the accounts. + If the permission set isn't provisioned in an AWS account, the notification confirms that the settings for the permission set were updated. **Note** You can automate this process by using the AWS API, an AWS SDK, or the AWS Command Line Interface(AWS CLI). For more information, see: The `CreatePermissionSet` or `UpdatePermissionSet` actions in the [IAM Identity Center API Reference](https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html) The `create-permission-set` or `update-permission-set` commands in the [https://docs.aws.amazon.com/cli/latest/reference/sso-admin/index.html#cli-aws-sso-admin](https://docs.aws.amazon.com/cli/latest/reference/sso-admin/index.html#cli-aws-sso-admin) section of the *AWS CLI Command Reference*. # Use a Deny policy to revoke active user permissions You might need to revoke an IAM Identity Center user’s access to AWS accounts while the user is actively using a permission set. You can remove their ability to use their active IAM role sessions by implementing a Deny policy for an unspecified user in advance, then when needed, you can update the Deny policy to specify the user whose access you want to block. This topic explains how to create a Deny policy and considerations for how to deploy the policy. ## Prepare to revoke an active IAM role session created by a permission set You can prevent the user from taking actions with an IAM role they are actively using by applying a deny all policy for a specific user through the use of a Service Control Policy You can also prevent a user from using any permission set until you change their password, which removes a bad actor actively misusing stolen credentials. If you need to deny access broadly and prevent a user from re-entering a permission set or accessing other permission sets, you might also remove all user access, stop the active AWS access portal session, and disable the user sign-in. See [View and end active sessions for your workforce users](end-active-sessions.md) to learn how to use the Deny policy in conjunction with additional actions for broader access revocation. ### Deny policy You can use a Deny policy with a condition that matches to the user’s `UserID` from the IAM Identity Center identity store to prevent further actions by an IAM role that the user is actively using. Using this policy avoids impact to other users who might be using the same permission set when you deploy the Deny policy. This policy uses the placeholder user ID, *`Add user ID here`*, for `"identitystore:userId"` that you’ll update with the user ID for which you want to revoke access. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*" ], "Resource": "*", "Condition": { "StringEquals": { "identitystore:userId": "Add user ID here" } } } ] } ``` ------ Although you could use another condition key such as `“aws:userId”`, `“identitystore:userId”` is certain because it is a globally unique value that is associated with one person. Using `“aws:userId”` in the condition can be affected by how user attributes are synchronized from your source of identities and can change if the user’s username or email address changes. From the IAM Identity Center console, you can find a user’s `identitystore:userId` by navigating to **Users**, searching for the user by name, expanding the **General information** section and copying the User ID. It's also convenient to stop a user’s AWS access portal session and disable their sign-in access in the same section while searching for the User ID. You can automate the process to create a Deny policy by obtaining the user’s User ID through querying the identity store APIs. ### Deploying the deny policy You can use a placeholder user ID that isn't valid, such as `Add user ID here`, to deploy the Deny policy in advance using a Service Control Policy (SCP) that you attach to the AWS accounts users might have access to. This is the recommended approach for its ease and speed of impact. When you revoke a user’s access with the Deny policy, you'll edit the policy to replace the placeholder user ID with the user ID of the person whose access you want to revoke. This prevents the user from taking any actions with any permission set in every account that you attach the SCP. It blocks the user’s actions even if they use their active AWS access portal session to navigate to different accounts and assume different roles. With the user’s access fully blocked by the SCP, you can then disable their ability to sign in, revoke their assignments, and stop their AWS access portal session if needed. As an alternative to using SCPs, you can also include the Deny policy in the inline policy of permission sets and in customer managed policies that are used by the permission sets the user can access. If you must revoke access for more than one person, you can use a list of values in the condition block, such as: ``` "Condition": { "StringEquals": { "identitystore:userId": [" user1 userId", "user2 userId"...] } } ``` **Important** Regardless of the method(s) you use, you must take any other corrective actions and keep the user’s user ID in the policy for at least 12 hours. After that time, any roles the user has assumed expire and you can then remove their user ID from the Deny policy.