AWS Security Token Service (AWS STS)

What Is This Service?

AWS Security Token Service (AWS STS) is AWS’s temporary credential issuance service that provides short-lived, limited-privilege security credentials for accessing AWS resources.

STS issues:

Access Key
Secret Access Key
Session Token

Credentials expire automatically.

Mental model:
STS = temporary trust broker for AWS identities.

Pattern:

Identity
 ↓
STS
 ↓
Temporary Credentials
 ↓
AWS Access

STS is the foundation of modern AWS identity architecture.

---

Why It Matters for Security

Long-lived credentials create risk:

• Credential theft
• Secret sprawl
• Cross-account complexity
• Manual rotation
• Excessive permissions

Security goals:

• Eliminate static keys
• Enforce temporary access
• Support federation
• Reduce blast radius
• Enable Zero Trust

Security outcomes:

• Short-lived sessions
• Centralized authentication
• Cross-account delegation
• Automatic credential expiration

Typical use cases:

• Cross-account access
• Workforce federation
• EKS
• Lambda
• CLI / SDK
• Identity Center
• Third-party delegation

---

Architecture Example

flowchart LR

User

IdP[Identity Provider]

STS[AWS STS]

Role[IAM Role]

AWS[AWS Services]

SAML[SAML]

OIDC[OIDC]

SourceIdentity[SourceIdentity]

SessionTags[Session Tags]

User --> IdP

IdP --> SAML

IdP --> OIDC

SAML --> STS

OIDC --> STS

STS --> SessionTags

STS --> SourceIdentity

STS --> Role

Role --> AWS

Core architecture:

Authenticate
 ↓
Assume
 ↓
Receive Temporary Credentials
 ↓
Access AWS

---

Workflow(s)

AssumeRole Workflow

sequenceDiagram

participant User
participant STS
participant Role
participant AWS

User->>STS: AssumeRole

STS->>Role: Validate trust policy

Role-->>STS: Allowed

STS-->>User: Temporary credentials

User->>AWS: API request

---

Web Identity Federation

sequenceDiagram

participant Workload
participant OIDC
participant STS
participant AWS

Workload->>OIDC: Authenticate

OIDC-->>Workload: JWT

Workload->>STS: AssumeRoleWithWebIdentity

STS-->>Workload: Temporary credentials

Workload->>AWS: Access

---

Cross-Account Role Chain

sequenceDiagram

participant User
participant RoleA
participant STS
participant RoleB

User->>STS: Assume Role A

STS-->>User: Temporary credentials

User->>STS: Assume Role B

STS-->>User: Role chain session

---

Core Concepts

Temporary Credentials (MOST TESTED)

STS returns:

Access Key
Secret Key
Session Token

Properties:

• Temporary
• Expiring
• Rotated

Preferred over:

IAM User Access Keys

---

AssumeRole

Most common STS API.

Used to:

Adopt permissions
of another role

Supports:

• Cross-account access
• Temporary elevation
• Delegation

---

Trust Policy (VERY HIGH VALUE)

Controls:

Who may assume?

Lives on:

IAM Role

Example:

Action: sts:AssumeRole

Exam trap:

Trust policy:

Who enters

Permissions policy:

What they do

---

Session Duration

Controls:

Credential expiration

Depends on:

• Role settings
• Caller type
• Federation method

---

Session Policies

Restrict permissions.

Result:

Role
∩
Session Policy

Never expands access.

---

Federation

STS supports:

• SAML
• OIDC
• Identity Center

---

Important Integrations

IAM Roles (VERY HIGH VALUE)

Core pattern:

Role
+
STS
=
Temporary Access

---

IAM Identity Center

Flow:

User
 ↓
Identity Center
 ↓
STS
 ↓
AWS

---

Amazon Cognito

Pattern:

User Identity
 ↓
STS
 ↓
Temporary Credentials

---

Amazon EKS

IRSA uses:

AssumeRoleWithWebIdentity

---

EC2

Instance Profiles rely on:

STS internally

---

Lambda

Execution roles use:

STS internally

---

AWS CLI / SDK

Automatically obtain:

• Sessions
• Credential refresh

---

AWS Organizations

Common for:

• Cross-account access

---

Security Features

Temporary Credentials

Reduce:

• Credential lifetime
• Exposure

---

Session Expiration

Automatically invalidates access.

---

Session Policies

Restrict sessions.

---

External ID (VERY HIGH VALUE)

Protects against:

Confused Deputy

Pattern:

Third Party
 ↓
External ID
 ↓
Role
 ↓
STS

---

MFA Support

Supports:

MFA-authenticated sessions

---

Session Tags

Supports:

ABAC

Examples:

department=finance
project=alpha

---

SourceIdentity (HIGH VALUE)

Persistent identity tracking.

Purpose:

Track original caller across:

Role assumptions
Role chaining

Visible in:

CloudTrail

Unlike Session Tags:

Persists through chaining

Exam scenario:

Track original human identity across multiple roles

Answer:

SourceIdentity

---

Regional Endpoints

Supports:

• Global
• Regional

Recommended:

Regional STS

---

Advanced Security and Operational Concepts

STS Issues Credentials Only (MOST TESTED)

STS:

Issues credentials

IAM:

Authorizes actions

---

Trust Policy vs Permissions Policy

Trust:

Who enters

Permissions:

What happens

Classic trap.

---

Session Policy Intersection

Result:

Role
∩
Session Policy

Never expands.

---

GetSessionToken vs AssumeRole (VERY HIGH VALUE)

AssumeRole

Used when:

Switch identities

Example:

Cross-account access

---

GetSessionToken

Used when:

Keep same identity
+
Get temporary session
+
Require MFA

Typical use:

aws:MultiFactorAuthPresent

Massive exam distinction.

---

AssumeRole Variants

AssumeRole

Cross-account.

---

AssumeRoleWithSAML

Enterprise federation.

---

AssumeRoleWithWebIdentity

OIDC.

EKS.

GitHub Actions.

---

GetFederationToken

Legacy federation.

---

Role Chaining Hard Limit (VERY HIGH VALUE)

Pattern:

Role A
 ↓
Role B

Maximum session duration:

1 hour

Even if Role B allows:

12 hours

Massive exam trap.

---

Confused Deputy Protection

Pattern:

External Service
 ↓
External ID
 ↓
Role
 ↓
STS

---

Regional STS Activation (HIGH VALUE)

Global endpoint:

Always available

Regional endpoints:

May require:

Explicit activation

Especially newer regions.

Exam symptom:

STS regional call fails

Check:

STS region activation

---

STS Is Everywhere

Used internally by:

• EC2
• Lambda
• Cognito
• Identity Center
• SDK
• CLI

Exam mindset:

Temporary credentials are default AWS

---

Comparisons

Service	Purpose	Credentials	Temporary
STS	Credential issuance	Yes	Yes
IAM	Authorization	No	No
Cognito	App identity	Partial	Yes
Identity Center	Workforce SSO	Partial	Yes
IAM Users	Long-term access	Yes	No

---

Common Exam Traps

1. STS issues credentials only.

2. Trust policy controls assumption.

3. Permissions policy controls actions.

4. Session policy only restricts.

5. External ID solves confused deputy.

6. SourceIdentity survives role chaining.

7. Role chaining max = 1 hour.

8. GetSessionToken ≠ AssumeRole.

9. Regional STS may require activation.

10. EKS uses AssumeRoleWithWebIdentity.

11. EC2 roles use STS internally.

12. Temporary credentials are preferred.

---

5-Second Recall

• STS = temporary credentials
• AssumeRole changes identity
• GetSessionToken keeps identity
• Trust policy controls entry
• Session policy restricts
• SourceIdentity tracks users
• Role chaining max = 1 hour

---

Quick Revision Notes

• Temporary credential engine
• Eliminates long-term keys
• Trust ≠ permissions
• Session policy narrows access
• External ID prevents confused deputy
• SourceIdentity improves auditability
• Regional STS preferred
• Role chaining capped at 1 hour
• EKS uses web identity
• One of the highest-value exam services