User session interruption because of malicious behaviour detection

Hey, is there a way how to interrupt ongoing user session? Use case: our security engineer identifies a malicious behaviour and we want to be able to immediately interrupt all the users’ ongoing sessions. Thank you!

Hi @Milos

Currently we can end the temporary STS sessions by revoking all the active sessions at the Role level as shown below.

Additionally you can ensure row level data security filters are configured to ensure users are accessing the correct data .


We are using sign-in through QuickSight without a custom IdP. Is there any particular built-in QS role attached to each QS-managed user? If so, how can I identify it for revoking ongoing sessions?

Hello @Milos and @apjvinod !

Were you able to resolve this or are you still running into this problem? It has been some time since there has been activity on this post but we still want to help you find a solution.

To my knowledge, there is no way in the Quicksight console to revoke access to an ongoing session. My suggestion would be to in the moment delete or deactivate the user, and also change the session length to limit the access.

Unfortunately, not:

  1. Removing a user will not interrupt their ongoing session immediately; it took some time (there is probably a caching mechanism in place)
  2. The QS console nor the API don’t support moving orphaned resources for users other than those in the default namespace. Therefore, authors lost their resources on deletion
  3. What do you mean by deactivating the user? I’m not familiar with this term.
  4. Session length - minimum is 15 minutes, which is too much in the case of a security incident. Even if not, how does embedding work if a session expires? Is the embedded SDK able to renew expired sessions automatically once they expire so regular users will not be interrupted from previewing dashboards?
  5. There is an option for managing AWS access portal sessions, but I need to investigate deeper.

Hello @Milos and @apjvinod !

@Milos , sorry about the late reply! I will mark this as a feature request for the API and console for the QuickSight team.