AWS SDKs

What Is This Service?

AWS SDKs (Software Development Kits) are language-specific libraries that allow applications to interact with AWS services through authenticated and signed AWS API calls.

Examples:

• Python (Boto3)
• Java
• JavaScript
• Go
• .NET
• Rust
• PHP
• Ruby

Mental model:
AWS SDK = secure API client + credential broker + request automation layer.

SDKs abstract:

• Authentication
• Request signing
• Retries
• Endpoint selection
• Serialization
• Credential refresh

SDKs are the default mechanism for application-to-AWS communication.

---

Why It Matters for Security

Applications must:

• Authenticate securely
• Avoid hardcoded credentials
• Rotate access automatically
• Support temporary trust
• Reduce attack surface

Security outcomes:

• Reduced credential leakage
• Centralized authorization
• Temporary access
• Secure request integrity
• Strong identity propagation

Typical use cases:

• Application access to S3
• Lambda integrations
• Container workloads
• Cross-account access
• CI/CD automation
• Kubernetes access

---

Core Concepts

SDK → AWS API

SDKs abstract AWS APIs.

Example:

Application:

Upload file

Actual API:

PutObject

SDK automatically handles:

• Serialization
• Authentication
• Signing
• Response parsing

---

Credential Provider Chain (MOST TESTED)

SDK resolves credentials automatically.

Typical order:

Explicit Credentials
 ↓
Environment Variables
 ↓
Shared Credentials File
 ↓
Web Identity Token
 ↓
Container Credentials
 ↓
EC2 Instance Profile

Modern SDK behavior varies slightly.

Exam rule:

Earlier sources override later ones.

---

Temporary Credentials

Preferred access model.

Generated by:

STS

Contains:

• Access Key
• Secret Key
• Session Token

Short-lived.

---

Request Signing (SigV4)

SDK signs requests automatically.

Uses:

AWS Signature Version 4

Protects:

• Authentication
• Integrity
• Replay resistance

Includes:

• Timestamp
• Region
• Credentials

Exam trap:

You do NOT manually implement signing.

---

Region Resolution

SDK determines:

Which regional endpoint?

Sources:

• Explicit config
• Environment
• Profile

Incorrect region:

→ API failures

---

Retries

SDK automatically retries.

Handles:

• HTTP 429
• HTTP 5xx
• Network failures

---

Client vs Resource Abstraction (Developer Exam)

Example: Boto3

Client

Low-level.

Maps directly to APIs.

Returns:

JSON / dictionaries

Example:

client.put_object()

---

Resource

Higher-level abstraction.

Returns:

Objects

Example:

bucket.name
instance.id

Exam rule:

Client = precise API control

Resource = convenience abstraction

---

Important Integrations

AWS STS (VERY HIGH VALUE)

Generates:

Temporary Credentials

Pattern:

Application
 ↓
STS
 ↓
SDK
 ↓
AWS API

---

IAM Roles

Primary credential mechanism.

Examples:

• EC2 Instance Profile
• ECS Task Role
• Lambda Execution Role

Avoid static keys.

---

OIDC / Web Identity Federation (HIGH VALUE)

Modern authentication mechanism.

Common workloads:

• EKS
• GitHub Actions
• CI/CD systems

Flow:

OIDC Token
 ↓
SDK
 ↓
AssumeRoleWithWebIdentity
 ↓
STS Credentials

Environment variable:

AWS_WEB_IDENTITY_TOKEN_FILE

When detected:

SDK automatically calls:

AssumeRoleWithWebIdentity

Exam trap:

No access keys required.

---

EC2 Instance Metadata Service

Credential retrieval:

IMDS
 ↓
SDK

Recommended:

IMDSv2

---

Amazon ECS

Uses:

Task Role

SDK retrieves credentials automatically.

---

AWS Lambda

Execution role automatically injected.

No configuration required.

---

AWS IAM Identity Center

Supports:

CLI
SDK

Modern workforce pattern.

---

AWS PrivateLink (VPC Endpoint)

SDK supports private service connectivity.

Critical endpoint behavior:

Private DNS enabled:

SDK works normally

Private DNS disabled:

Override endpoint URL

---

Security Features

Automatic SigV4 Signing

SDK handles:

• Identity
• Integrity
• Secure requests

---

Temporary Credential Support

Supports:

• Automatic rotation
• Expiration
• Isolation

---

Secure Credential Resolution

Avoids:

• Embedded secrets

---

Retry Protection

Reduces:

• Availability failures

---

TLS Encryption

SDK uses:

HTTPS

---

Endpoint Validation

Ensures:

• Regional correctness

---

Advanced Security and Operational Concepts

Credential Provider Chain (MOST TESTED)

Typical resolution:

Code
 ↓
Environment
 ↓
Credential File
 ↓
Web Identity
 ↓
Container
 ↓
Instance Role

Exam trap:

Hardcoded credentials override safer methods.

---

IAM Roles > Access Keys

Preferred:

IAM Role

Avoid:

Static Keys

Reason:

• Rotation
• Reduced exposure

---

Thundering Herd Protection (HIGH VALUE)

SDK retries use:

Exponential Backoff
+
Jitter

Backoff:

Progressively longer waits.

Jitter:

Random delay.

Purpose:

Prevent:

Thundering Herd

Example:

Bad:

1000 clients retry simultaneously

Good:

Randomized retry timing

Exam trap:

Jitter protects AWS APIs.

---

IMDSv2 Protection

Old:

IMDSv1

Risk:

• SSRF

Modern:

IMDSv2

Uses:

• Session tokens

---

Cross-Account Access

Architecture:

SDK
 ↓
STS AssumeRole
 ↓
Temporary Credentials
 ↓
Target Account

---

SDK Credential Refresh

SDK refreshes automatically:

• Instance roles
• STS sessions
• Container roles

Applications usually do not refresh manually.

---

Endpoint Override (HIGH VALUE)

Default:

SDK
 ↓
Regional Endpoint

PrivateLink trap:

Private DNS disabled:

Public endpoint selected

Solution:

endpoint_url override

Pattern:

SDK
 ↓
Private Endpoint
 ↓
AWS Service

---

SDK Is NOT CLI

CLI:

Human automation

SDK:

Application access

Both use APIs.

---

Long-Running Application Pattern

Preferred:

SDK
+
IAM Role
+
Auto Refresh

Avoid:

Embedded Access Keys

---

Architecture Example

flowchart LR

App[Application]

SDK[AWS SDK]

OIDC[OIDC Provider]

STS[STS]

Role[IAM Role]

Endpoint[VPC Endpoint]

AWS[AWS Service]

App --> SDK

SDK --> OIDC

OIDC --> STS

STS --> Role

SDK --> Endpoint

Endpoint --> AWS

---

Workflow(s)

Credential Resolution Flow

sequenceDiagram

participant App
participant SDK
participant Role
participant STS
participant AWS

App->>SDK: API Request

SDK->>SDK: Credential Provider Chain

SDK->>STS: Obtain credentials

STS-->>SDK: Temporary credentials

SDK->>SDK: SigV4 Sign

SDK->>AWS: API request

---

Web Identity Federation

sequenceDiagram

participant Workload
participant SDK
participant STS
participant AWS

Workload->>SDK: OIDC Token

SDK->>STS: AssumeRoleWithWebIdentity

STS-->>SDK: Temporary credentials

SDK->>AWS: Signed request

---

Retry with Jitter

sequenceDiagram

participant App
participant SDK
participant AWS

App->>AWS: Request

AWS-->>SDK: Throttled (429)

SDK->>SDK: Exponential backoff

SDK->>SDK: Add jitter

SDK->>AWS: Retry

---

Comparisons

Service	Purpose	Human Use	Programmatic	Credential Mgmt
AWS SDK	Application access	No	Yes	Automatic
AWS CLI	Operations	Yes	Partial	Automatic
Console	UI	Yes	No	Session
STS	Temporary credentials	No	No	Yes
IAM	Authorization	No	No	No

---

Common Exam Traps

1. SDK signs requests automatically.

2. SigV4 is automatic.

3. Roles preferred over keys.

4. Credential provider chain determines identity.

5. Web identity uses AssumeRoleWithWebIdentity.

6. SDK auto-refreshes credentials.

7. IMDSv2 protects EC2.

8. SDK retries use jitter.

9. PrivateLink may require endpoint override.

10. SDK ≠ CLI.

11. Lambda injects credentials.

12. Access keys should rarely exist.

13. Client and Resource are different abstractions.

---

5-Second Recall

• SDK = secure AWS API client
• SigV4 automatic
• Roles > keys
• Credential chain matters
• OIDC → AssumeRoleWithWebIdentity
• Retry = backoff + jitter
• PrivateLink may require endpoint override

---

Quick Revision Notes

• Programmatic AWS access
• Automatic request signing
• Credential provider chain
• STS everywhere
• OIDC for modern workloads
• IMDSv2 for EC2
• Retry uses jitter
• SDK auto-refreshes
• Endpoint override supports PrivateLink
• Avoid embedded secrets