Monday, September 9, 2024

AWS - Security Token Service (STS)


AWS STS (AWS Security Token Service) is a service that allows you to request temporary, limited-privilege credentials for users or services to access AWS resources. These credentials are often used in scenarios where you don't want to use long-term access keys, or when you need to provide short-term access to resources without creating permanent IAM users.

Here’s a breakdown of key concepts related to AWS STS:

Key Features of AWS STS:

  1. Temporary Security Credentials: STS provides credentials that are valid for a limited duration (from a few minutes to several hours). After they expire, they cannot be used to access AWS resources.

  2. Assume Roles: One of the most common uses of AWS STS is assuming roles. For example, you can allow a user or application to "assume" a role that gives it specific permissions, even if the user or app doesn't have those permissions by default. This is useful in cross-account scenarios, federated access, or when using roles to segregate access levels within the same account.

  3. Federation: AWS STS enables identity federation, which allows users from external systems (like corporate directories or external identity providers) to access AWS resources without the need to create IAM users for them. This is done via standard protocols like SAML 2.0 or OpenID Connect.

  4. Cross-Account Access: STS makes it easy to provide access to resources across different AWS accounts. A user in one account can assume a role in another account and gain access to resources, all without requiring the user to have an IAM user in the other account.

  5. Reduced Credential Exposure: Since STS tokens are temporary, they limit the risk if credentials are compromised. After the expiration time, the token cannot be reused.

Example Use Cases:

  • Delegating Access: You have a central administrative account, and you want to allow users from other AWS accounts to access your account’s resources. They can assume a role that you define in your account to temporarily gain the necessary permissions.
  • Third-Party Access: You can give third-party vendors temporary access to your resources by letting them assume a role through STS without needing long-term credentials.
  • Mobile Apps and IoT Devices: Instead of embedding long-term credentials in mobile or IoT devices, which can be insecure, you use STS to issue temporary credentials, which can be refreshed as needed.

Example of Using STS with AssumeRole:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/example-role --role-session-name session1

This command allows an identity to assume the role example-role in account 123456789012 and gain temporary credentials.

In summary, AWS STS is a powerful tool for managing short-term, secure access to AWS resources without the need for long-term credentials. It’s especially valuable in complex environments that require secure, time-bound access control, such as in cross-account access or federated identity setups.

No comments:

Post a Comment

Followers

Blog Archive