# Tenant Security settings

## Configuring Security settings at the Tenant Level

Configure these settings (properties) by navigating to **Administrator** -> **Tenants** in the DuploCloud Portal. Select the Tenant for which you want to configure the settings listed below and click the **Settings** tab. The Tenant Feature Properties are listed in the **Name** column in the **Settings** tab.

To edit or remove an existing property, click the menu (<img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2FiNwYVMf4fky7ZPl41t38%2FKabab_three_Vertical_dots.png?alt=media&#x26;token=566b1d4e-a9bc-43c8-995a-044ceab9f38b" alt="" data-size="line">) icon to the left of the property **Name** and select **Edit Setting** or **Remove Setting**. To add any of these settings, click **Add.** Select and **Enable** the feature using the **Add Tenant Feature** pane.

<figure><img src="https://2471407984-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F68cb0s9ce5UIUKWPuYs8%2Fuploads%2FUqqhLKffrUCSNTbf0fk0%2Fsystemconfig4.png?alt=media&#x26;token=208d87a9-d355-4f0d-b39b-d2794207de9f" alt=""><figcaption><p><strong>Add Tenant Feature</strong> pane for configuring Tenant settings</p></figcaption></figure>

A Default Value of **Enabled** in the table below displays a property value of **True** in the UI.

A Default Value of **Disabled** in the table below displays a property value of **False** in the UI.

### Tenant Security Settings

<table><thead><tr><th>Tenant Feature Property</th><th>Description</th><th>Default Value</th><th data-hidden>Name</th></tr></thead><tbody><tr><td><strong>Enable Encryption at Rest</strong></td><td>Configure encryption at rest for AWS resources such as RDS, ElastiCache, ElasticSearch</td><td>Disabled</td><td></td></tr><tr><td><strong>Block Public Access</strong></td><td>Blocks (disables) public access to S3Default</td><td>Enabled</td><td></td></tr><tr><td><strong>Maximum Session Duration</strong></td><td><p><br>Configure AWS IAM Role Maximum session duration for the tenant role</p><p>Provide input in Hours.<br>Additional details can be found <a href="../use-cases/tenant-environment/tenant-session-duration">here</a></p></td><td><strong>3600</strong> seconds (1 Hour)</td><td></td></tr><tr><td><strong>Enforce SSL for ES</strong></td><td>Require SSL encryption for AWS Elasticsearch</td><td>Enabled</td><td></td></tr><tr><td><strong>Enforce SSL for S3</strong></td><td>Require SSL encryption for AWS S3 Buckets</td><td>Enabled</td><td></td></tr><tr><td><strong>Enable node to node encryption for ES</strong></td><td>Enables Node-to-node encryption to protects data transferred between nodes using SSL encryption</td><td>Enabled</td><td></td></tr><tr><td><strong>Automatically rotate KMS keys</strong></td><td>Enables automatic rotation of KMS keys to prevent extensive key reuse</td><td>Enabled</td><td></td></tr><tr><td><strong>Delete protection</strong></td><td>Protects Tenants from accidental deletion. See <a href="broken-reference">Deleting a Tenant</a></td><td>Enabled</td><td></td></tr><tr><td><strong>AWS Access Token Validity</strong></td><td>AWS Console JIT (Just-In-Time) session token validation time in seconds before time-out</td><td><strong>3600</strong> seconds (1 Hour)</td><td></td></tr><tr><td><strong>Restrict Pubic IP for Non-Admin</strong></td><td><br>Restricts Non-Administrators from creating a load balancer that uses a Public IP address</td><td>Disabled</td><td></td></tr><tr><td><strong>Restrict EC2 instance create in public subnet for non-admin</strong></td><td><br>Restricts Non-Administrators from creating EC2 Instances that use a Public IP address</td><td>Disabled</td><td></td></tr><tr><td><strong>Restrict non-ssl listener create for non-admin</strong></td><td><br>Restricts Non-Administrators from creating a load balancer without SSL certificates</td><td>Disabled</td><td></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.duplocloud.com/docs/automation-platform/overview/security-configuration-settings/tenant-security-settings.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.