Back to Catalog
Security & Compliance

AWS STS

"Request temporary, limited-privilege credentials for users."

What is AWS STS (Security Token Service)?

AWS STS is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).

Key Concepts

1. Temporary Credentials

  • Unlike Access Keys (which are long-term), STS credentials expire after a short time (e.g., 1 hour).
  • Consist of an Access Key, Secret Key, and a Session Token.

2. AssumeRole

  • The API call used to switch roles.
  • Example: A user in distinct Dev account "assumes a role" in the Prod account to fix a bug.

3. Federation

  • Granting temporary access to users from an external identity provider (like Active Directory, Facebook, Google) without creating IAM users for them.

Exam Tips

[!IMPORTANT] "Temporary credentials", "AssumeRole", or "Cross-account access": The answer is AWS STS.

Common Use Cases

  • Cross-Account Access: Allowing a trusted user from Account A to access resources in Account B.
  • Mobile Apps: Giving temporary S3 access to a mobile app user logged in via Facebook/Google (Web Identity Federation).
Directory Service
Amazon API Gateway
SWIPE ZONE
< DRAG ME >