DEV Community

Wakeup Flower
Wakeup Flower

Posted on

AWS Security Token Service STS and usage

#aws

What is AWS Security Token Service (AWS STS)?

AWS STS is a service that issues temporary security credentials so you can access AWS resources without long-term credentials (like IAM user access keys).

Think of it as a short-lived “key” generator for AWS.

Key uses of AWS STS

  1. Temporary access for IAM users or roles
  • Example: You don’t want to give a user permanent access keys → you use STS to give them credentials that expire automatically (minutes to hours).
  1. Cross‑account access
  • Example: Account A needs to access resources in Account B. → You use STS to assume a role in Account B temporarily.
  1. Federated access
  • Example: Your company uses an existing identity provider (like Active Directory, Okta, Google). → STS gives temporary AWS credentials for those users without creating IAM users.
  1. Mobile or browser-based apps
  • Example: An app needs temporary AWS access without embedding permanent credentials. → Use STS with Amazon Cognito.

How AWS STS works (simple flow):

  1. You request temporary credentials using an STS API call (like AssumeRole or GetSessionToken).
  2. STS returns:
  • Access key ID
  • Secret access key
  • Session token
  • Expiration time
    1. You use these credentials to access AWS services until they expire.

Example real-world analogy

Think of AWS STS like a hotel front desk:

  • You check in → they give you a key card that works for a limited time.
  • When your stay ends → the key card stops working.
  • You don’t need a permanent key for the hotel.

Ah 😄 — you want AWS STS exam context for the AWS Solutions Architect Associate (SAA) exam.

Here’s the straight answer: in the SAA exam, STS usually appears in scenarios involving temporary access, cross-account access, or federated access.

Common AWS STS use cases in the SAA exam

1. Cross‑Account Access

  • Scenario: You have two AWS accounts (e.g., Prod and Dev) and want to let a role in one account access resources in another without sharing credentials.
  • STS solution: Use AssumeRole so a role in one account temporarily assumes a role in the other account.

2. Temporary Access for Security

  • Scenario: You want to avoid using permanent IAM access keys for users or applications to improve security.
  • STS solution: Use STS to give temporary credentials that expire quickly, reducing the risk of leaked credentials.

Example:

"A company wants developers to access AWS for only 1 hour during a project." → Use AssumeRole with STS.

3. Federated Access

  • Scenario: Users log in with corporate credentials (Active Directory, Google Workspace, etc.) and need AWS access without IAM user creation.
  • STS solution: Use STS with identity federation to issue temporary credentials.

Example:

"A company uses single sign-on (SSO) for AWS access." → STS is the backend that issues temporary keys after SSO authentication.

4. Mobile or Web Applications

  • Scenario: An application running on a mobile device needs AWS access without embedding long-term keys.
  • STS solution: Use Cognito with STS to provide temporary credentials.

Top comments (0)