IAM Session Duration: Tighten by Default

Default IAM role session is 1 hour. The case for shorter sessions and the case for longer ones.

Defaults

Short: 15 minutes. Frequent re-auth; minimal credential exposure.

Long: 12 hours. Less re-auth; more exposure.

Shorter when

Production access. High-stakes credentials should expire quickly.

Cross-account roles. Limited window of compromise.

Longer when

Long-running automation. Re-auth would interrupt work.

But: still cap at 12 hours. Beyond that is over-permissive.