Why does my AWS SSO session die so fast? (And how to change it in the console)

#aws #identitycenter #iam #sso

Why does my AWS SSO session die so fast? (And how to change it in the console)

Ever open the AWS access portal, click into an account, get a few things done, grab coffee, come back—and your session is gone? You sign in again through IAM Identity Center (what people still call SSO), mutter something about timeouts, and move on.

I used to assume AWS was just being strict for security. Partly true. The other part is boring: the permission set is probably still on the default session length, which is often one hour. Once you know that, fixing it is a few clicks in the console. No Terraform, no CLI—just the UI.

1. Overview

What you are changing: Session duration on an IAM Identity Center permission set (how long console and CLI sessions issued through that set stay valid before you must re-authenticate through the portal).
Why it felt short: Default duration for a new permission set is commonly 1 hour unless someone already raised it.
What this article is not: IAM roles in accounts, temporary credentials from sts:AssumeRole in automation, or Control Tower landing zone knobs—only Identity Center permission sets.

2. Prerequisites

You can sign in to the AWS Management Console for the organization that owns IAM Identity Center (often the management or delegated admin account where the directory lives).
Your user (or role) has permission to edit permission sets (for example an IAM Identity Center administrator).

3. Open the permission set

3.1 Go to IAM Identity Center

In the console, open IAM Identity Center (search IAM Identity Center in the top search bar if the console layout moves again).

3.2 Open Permission sets

Choose Permission sets in the left navigation. Select the permission set you actually use for day-to-day access (for example AdministratorAccess, PowerUser, or a custom name your org created).

4. Edit session duration

4.1 Edit settings

On the permission set details page, choose Edit (sometimes shown as Edit configuration depending on the console version).

4.2 Find session duration

Look for Session duration (wording may be Session length or similar). You will see a value in hours (or a dropdown bounded by what Identity Center allows for that permission set).

Pick something that matches how you work—for example 8 hours for a normal workday—without ignoring your org’s security policy. Shorter is generally safer for high-privilege sets; longer is more convenient and widens the window if a session is misused.

4.3 Save

Save the change. Existing sessions do not always pick up the new limit immediately; people may need to sign out of the access portal and sign in again (or wait for the current session to expire) before the new duration applies.

5. Summary

Short timeouts after portal login are often just the permission set default (commonly one hour), not a mystery AWS punishment.
IAM Identity Center → Permission sets → your set → Edit → Session duration → save. Re-login if you do not see the new behavior yet.