Hey everyone! I'm working on setting up an AWS Organization and I want to use Google Workspace as my Identity Provider (IdP) for AWS. Everything seems to be functioning well, but I've noticed that it doesn't always prompt for Multi-Factor Authentication (MFA) as frequently as I'd like. Ideally, I'd prefer to have MFA triggered every time I log in (or at least every 1-2 hours) when accessing AWS through Google. I came across an earlier discussion but didn't find it very convincing. I'm curious—can I really trust Google to manage session lifecycles and MFA for accessing AWS? Google sessions tend to be fairly long-lived, so am I overthinking this?
1 Answer
You're right about the default session length being 14 days with Google Workspace. You could lower this in the Google Admin settings, but it may get annoying having to log in so often. In my experience, a lot of our team doesn't use the console often; they mostly manage infrastructure with Terraform, only logging in to check logs in CloudWatch, and those roles have very limited permissions.
That's a solid strategy, but it does raise concerns if someone with higher permissions, like me, is involved. I even bought a hardware token, but I still feel uneasy. I’m thinking of setting Google session lengths to 24 hours.