Set session duration - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set session duration

For each permission set, you can specify a session duration to control the length of time that a user can be signed in to an Amazon Web Services account. When the specified duration elapses, Amazon signs the user out of the session.

When you create a new permission set, the session duration is set to 1 hour (in seconds) by default. The minimum session duration is 1 hour, and can be set to a maximum of 12 hours. IAM Identity Center automatically creates IAM roles in each assigned account for each permission set, and configures these roles with a maximum session duration of 12 hours.

When users federate into their Amazon Web Services account console or when the Amazon Command Line Interface (Amazon CLI) is used, IAM Identity Center uses the session duration setting on the permission set to control the duration of the session. By default, IAM roles generated by IAM Identity Center for permission sets can only be assumed by IAM Identity Center users, which ensures that the session duration specified in the IAM Identity Center permission set is enforced.


As a security best practice, we recommend that you do not set the session duration length longer than is needed to perform the role.

After you create a permission set, you can update it to apply a new session duration. Use the following procedure to modify the session duration length for a permission set.

To set the session duration
  1. Open the IAM Identity Center console.

  2. Under Multi-account permissions, choose Permission sets.

  3. Choose the name of the permission set for which you want to change the session duration.

  4. On the details page for the permission set, to the right of the General settings section heading, choose Edit.

  5. On the Edit general permission set settings page, choose a new value for Session duration.

  6. If the permission set is provisioned in any Amazon Web Services accounts, the names of the accounts appear under Amazon Web Services accounts to reprovision automatically. After the session duration value for the permission set is updated, all Amazon Web Services accounts that use the permission set are reprovisioned. This means that the new value for this setting is applied to all Amazon Web Services accounts that use the permission set.

  7. Choose Save changes.

  8. At the top of the Amazon Web Services accounts page, a notification appears.

    • If the permission set is provisioned in one or more Amazon Web Services accounts, the notification confirms that the Amazon Web Services accounts were reprovisioned successfully, and the updated permission set was applied to the accounts.

    • If the permission set isn't provisioned in an Amazon Web Services account, the notification confirms that the settings for the permission set were updated.