AWS Certified Solutions Architect - Professional
  • AWS Certified Solutions Architect - Professional
  • Analytics
    • Amazon Athena
    • AWS Data Exchange
    • Amazon Data Firehose
    • Amazon EMR
    • AWS Glue
    • Amazon Kinesis Data Streams
    • AWS Lake Formation
    • Amazon Managed Service for Apache Flink
    • Amazon Managed Streaming for Apache Kafka (Amazon MSK)
    • Amazon OpenSearch Service
    • Amazon QuickSight
  • Application Integration
    • Amazon AppFlow
  • AWS AppSync
  • Amazon EventBridge
  • Amazon MQ
  • Amazon Simple Notification Service
  • Amazon Simple Queue Service
  • AWS Step Functions
  • Blockchain
    • Amazon Managed Blockchain
  • Business Applications
    • Amazon Simple Email Service
  • Cloud Financial Management
    • AWS Budgets
    • AWS Cost and Usage Report
  • AWS Cost Explorer
  • Savings Plans
  • COMPUTE
    • AWS App Runner
  • AWS Auto Scaling
  • AWS Batch
  • AWS Elastic Beanstalk
  • Amazon Elastic Compute Cloud
  • Amazon EC2 Auto Scaling
  • AWS Fargate
  • AWS Lambda
  • Amazon Lightsail
  • AWS Outposts
  • AWS Wavelength
  • CONTAINERS
    • Amazon Elastic Container Registry
    • Amazon Elastic Container Service
    • Amazon ECS Anywhere
    • Amazon Elastic Kubernetes Service
    • Amazon EKS Anywhere
    • Amazon EKS Distro
  • DATABASES
    • Amazon Aurora
  • Amazon Aurora Serverless
  • Amazon DocumentDB
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon Keyspaces
  • Amazon Neptune
  • Amazon Relational Database Service
  • Amazon Redshift
  • Amazon Timestream
  • Developer Tools
    • AWS CodeArtifact
    • AWS CodeBuild
    • AWS CodeDeploy
    • Amazon CodeGuru
    • AWS CodePipeline
    • AWS X-Ray
  • End User Computing
    • Amazon AppStream 2.0
  • Amazon Workspaces
  • Frontend Web and Mobile
    • AWS Amplify
    • Amazon API Gateway
    • AWS Device Farm
    • Amazon Pinpoint
  • Internet of Things
    • AWS IoT Core
    • AWS IoT Device Defender
    • AWS IoT Device Management
    • AWS IoT Events
    • AWS IoT Greengrass
    • AWS IoT SiteWise
    • AWS IoT Things Graph
  • AWS IoT 1-Click
  • Machine Learning
    • Amazon Comprehend
    • Amazon Fraud Detector
    • Amazon Kendra
    • Amazon Lex
    • Amazon Personalize
    • Amazon Polly
    • Amazon Rekognition
  • Amazon SageMaker AI
  • Amazon Textract
  • Amazon Transcribe
  • Amazon Translate
  • Management and Governance
    • AWS CloudFormation
    • AWS CloudTrail
    • Amazon CloudWatch
    • Amazon CloudWatch Logs
    • AWS Command Line Interface
    • AWS Compute Optimizer
    • AWS Config
    • AWS Control Tower
    • AWS Health Dashboard
    • AWS License Manager
    • Amazon Managed Grafana
    • Amazon Managed Service for Prometheus
    • AWS Management Console
    • AWS Organizations
    • AWS Proton
    • AWS Service Catalog
    • Service Quotas
    • AWS Systems Manager
    • AWS Trusted Advisor
    • AWS Well-Architected Tool
    • SAML2.0 Identity Federation
    • IAM Identity Center
    • Directory Service
  • Service Control Policies
  • Permissions Boundaries
  • Permissions Evaluation
  • Media Services
    • Amazon Elastic Transcoder
    • Amazon Kinesis Video Streams
  • Migration and Transfer
    • AWS Application Discovery Service
    • AWS Application Migration Service
    • AWS Database Migration Service
    • AWS DataSync
    • AWS Migration Hub
    • AWS Schema Conversion Tool
    • AWS Snow Family
    • AWS Transfer Family
  • Networking and Content Delivery
    • Private and Public AWS Services
    • DHCP In a VPC
    • VPC Router
    • Stateful vs Stateless Firewalls
    • Network Access Control Lists
    • Security Groups
    • AWS Local Zones
    • Border Gateway Protocol
    • AWS Global Accelerator
    • IPSec VPN
    • Site2Site VPN
    • Transit Gateway
    • VPC Routing
    • Accelerated Site-to-Site VPN
    • AWS Client VPN
    • AWS Direct Connect (DX)
    • Route53
    • AWS Private Link
    • VPC
    • Amazon CloudFront
    • Elastic Load Balancing
    • AWS PrivateLink
  • Security, Identity, and Compliance
    • AWS Artifact
    • AWS Audit Manager
    • AWS Certificate Manager
    • AWS CloudHSM
    • Amazon Cognito
    • Amazon Detective
    • AWS Directory Service
    • AWS Firewall Manager
    • Amazon GuardDuty
    • AWS IAM Identity Center
    • AWS Identity and Access Management
    • Amazon Inspector
    • AWS Key Management Service
    • Amazon Macie
    • AWS Network Firewall
    • AWS Resource Access Manager
    • AWS Secrets Manager
    • AWS Security Hub
    • Security Token Service
    • AWS Shield
    • AWS WAF
  • Storage
    • AWS Backup
    • Amazon Elastic Block Store
    • AWS Elastic Disaster Recovery
    • Amazon Elastic File System
    • Amazon FSx
    • Amazon Simple Storage Service
    • Amazon S3 Glacier
    • AWS Storage Gateway
Powered by GitBook
On this page
  1. Security, Identity, and Compliance

Security Token Service

  • A service that provides temporary security credentials.

  • These credentials are generated when sts:AssumeRole is called.

🔄 Assuming a Role

  • When an identity (user, application, external entity) calls sts:AssumeRole, AWS returns:

    • Temporary credentials (Access Key ID, Secret Access Key, Session Token).

  • These credentials:

    • Are short-lived (expire after a set time).

    • Do not belong to the identity using them.

✅ Access Control

  • The access from these credentials is based on the role's permissions policy.

  • Can be further restricted to a subset of those permissions.

  • Ensures least privilege access is possible even when assuming powerful roles.

☁️ Where Temporary Credentials Can Be Used

  • Can be used to access AWS resources just like permanent credentials.

  • Especially useful for:

    • Cross-account access

    • Federated users

    • Applications needing short-term access

🧠 Quick Summary

Feature
Description

Service

AWS STS (Security Token Service)

Main operation

sts:AssumeRole

Output

Temporary credentials

Lifetime

Short-lived (e.g., 15 min to a few hours)

Belongs to

The role, not the calling identity

Access control

Controlled by the role's policy, and can be further limited

Use cases

Temporary access, cross-account roles, identity federation

Revoking Temporary Credentials

Last updated 10 days ago