AWS Certified Solutions Architect - Professional
  • AWS Certified Solutions Architect - Professional
  • Accounts & Permissions
    • AWS Organizations
    • Service Control Policies
    • Security Token Service
    • Permissions Boundaries
    • Permissions Evaluation
    • AWS Resource Access Manager
    • Service Quotas
  • ADVANCED IDENTITIES & FEDERATION
    • SAML2.0 Identity Federation
    • IAM Identity Center
    • Amazon Cognito
    • Amazon Workspaces
    • Directory Service
    • AWS Control Tower
  • NETWORKING & HYBRID
    • Private and Public AWS Services
    • DHCP In a VPC
    • VPC Router
    • Stateful vs Stateless Firewalls
    • Network Access Control Lists
    • Security Groups
    • AWS Local Zones
    • Border Gateway Protocol
    • AWS Global Accelerator
    • IPSec VPN
    • Site2Site VPN
    • Transit Gateway
    • VPC Routing
    • Accelerated Site-to-Site VPN
    • AWS Client VPN
Powered by GitBook
On this page
  1. Accounts & Permissions

Security Token Service

  • A service that provides temporary security credentials.

  • These credentials are generated when sts:AssumeRole is called.

🔄 Assuming a Role

  • When an identity (user, application, external entity) calls sts:AssumeRole, AWS returns:

    • Temporary credentials (Access Key ID, Secret Access Key, Session Token).

  • These credentials:

    • Are short-lived (expire after a set time).

    • Do not belong to the identity using them.

✅ Access Control

  • The access from these credentials is based on the role's permissions policy.

  • Can be further restricted to a subset of those permissions.

  • Ensures least privilege access is possible even when assuming powerful roles.

☁️ Where Temporary Credentials Can Be Used

  • Can be used to access AWS resources just like permanent credentials.

  • Especially useful for:

    • Cross-account access

    • Federated users

    • Applications needing short-term access

🧠 Quick Summary

Feature
Description

Service

AWS STS (Security Token Service)

Main operation

sts:AssumeRole

Output

Temporary credentials

Lifetime

Short-lived (e.g., 15 min to a few hours)

Belongs to

The role, not the calling identity

Access control

Controlled by the role's policy, and can be further limited

Use cases

Temporary access, cross-account roles, identity federation

Revoking Temporary Credentials

Last updated 2 days ago