STS

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

STS integrates with pther AWS Services:

  1. IAM: Works closely with IAM for role definitions and permissions.

  2. Cognito: Can use STS for providing temporary credentials to mobile or web app users.

  3. AWS Organizations: Can be used in conjunction with STS for cross-account access.

  1. Key Features:

    1. Temporary Credentials: STS issues short-term security credentials that are valid for a specified duration.

    2. Limited Privileges: These credentials can have restricted permissions compared to the original IAM user.

    3. No Long-term Secrets: Since credentials are temporary, there's no need to rotate or revoke long-term security credentials.

  2. Use Cases:

    1. Federation: Integrate with external identity providers (e.g., Active Directory, Facebook).

    2. Cross-Account Access: Allow users from one AWS account to access resources in another.

    3. Enhanced Security: Implement the principle of least privilege by providing temporary, limited-scope credentials.

  3. Core API Calls:

    1. AssumeRole: Obtain temporary credentials for cross-account access or enhanced security.

    2. AssumeRoleWithWebIdentity: Used for web identity federation (e.g., login with Google, Facebook).

    3. AssumeRoleWithSAML: Used for SAML-based federation (e.g., Active Directory).

    4. GetSessionToken: Obtain temporary credentials for an IAM user or AWS account root user.

  4. Components:

    1. IAM Roles: Define the permissions that STS will use to generate temporary credentials.

    2. Trust Relationships: Specify who can assume a role (e.g., IAM users, external accounts, services).

    3. Temporary Security Credentials: Consist of an access key ID, a secret access key, and a security token.

  5. Security Best Practices:

    1. Use STS instead of creating IAM users with long-term credentials.

    2. Implement the principle of least privilege when defining permissions for roles.

    3. Set appropriate expiration periods for temporary credentials.

PreviousCognitoNextAI based security

Last updated

Was this helpful?