UPCOMING EVENT Discover how nOps streamlines your cost optimization at AWS re: Invent - BOOK A MEETING

NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now

AWS Security Token Service (STS) is a web service provided by Amazon Web Services (AWS) that allows the creation and provision of temporary, limited-privilege credentials for AWS resources. It is primarily used to manage short-term access to AWS services and resources. This enhances security by giving users only the minimum permissions they need (i.e. the principle of “least privilege).

AWS STS facilitates various use cases, such as federated user access, cross-account access, and mobile application access, by allowing users to assume IAM roles. The temporary security credentials provided by STS can be configured with an expiration period, which can range from a few minutes to several hours.

This service is a critical component for managing secure access within your cloud environment.

Common scenarios requiring STS

Let’s talk about some common scenarios in which temporary security credentials are key.

Identify Federation

AWS STS is crucial for enabling identity federation. Identity federation allows users from external identity providers (such as corporate directories or third-party identity services) to access AWS resources without creating an AWS identity for each user.

This method supports web identity federation using providers like Google, Facebook, or Amazon, and federation with corporate identities using SAML 2.0, facilitating secure access management across platforms for federated users.

Delegation

AWS STS facilitates access delegation, which enables AWS resource owners to create roles with specific permissions and then delegate these roles to trusted entities.

This is often used to grant third-party vendors limited access to your AWS environment or to allow applications to interact with AWS resources on behalf of end-users. Minimizing the need for long-term credentials increases security.

Cross-Account Access

For organizations operating multiple AWS accounts, AWS STS enables secure cross-account access, allowing users from one AWS account to perform actions in another AWS account.

This setup is beneficial for centralized management and operations, where administrative tasks, monitoring, and compliance checks are conducted across accounts without compromising security.

IAM roles

Utilizing IAM roles with AWS STS is a common practice to grant temporary access to AWS services or third-party applications that need to perform tasks on behalf of users.

This scenario ensures that permissions are only active for an IAM user during the session and expire automatically, reducing the risk of credential exposure and promoting a least privilege security posture.

Security Token Service AWS: How IAM users & temporary security credentials work (image source: AWS)

How AWS STS Works: A Technical Overview

AWS Security Token Service (STS) operates by providing temporary security credentials that allow access to AWS services and resources, which can be tightly controlled and closely monitored. Here’s a breakdown of its technical workflow.

#1: Requesting Temporary Credentials: Users or applications initiate a request to AWS STS when temporary access to AWS resources is needed. This request can be made using the AWS SDK, CLI, or directly through the AWS STS API. The request must specify the desired permissions and the duration for which the credentials are needed.

#2: Role and Policy Evaluation: AWS STS then evaluates the policies attached to the role or identity making the request. It checks for permissions, ensuring that the requester is authorized to assume the role or access the credentials. In cases of federated access, STS also processes the federation token that includes assertions for user authentication.

#3: Token Issuance: Once the request is authenticated and authorized, AWS STS issues temporary security credentials that consist of an access key ID, a secret access key, and a security token. These credentials are limited in scope and duration based on the policies defined.

#4: Using the Credentials: The temporary credentials are then used in subsequent AWS API calls to access resources. These credentials replace the long-term credentials normally used, providing a secure way to grant access without exposing core security secrets.

#5: Expiration and Renewal: The temporary credentials automatically expire at the end of the predefined duration, which can range from a few minutes to several hours. If continued access is needed, a new request must be made for another set of temporary credentials, ensuring that access is only granted within a controlled window.

#6: Logging and Monitoring: Integration with AWS CloudTrail ensures that all interactions involving AWS STS credentials are logged, allowing organizations to monitor and audit usage. This is crucial for compliance and operational security, providing transparency over who accessed what resources and when.

CloudTrail Dashboard with Token Service AWS STS (image source: AWS)

Programmatic Access vs. Manual Management with AWS STS

AWS Security Token Service (STS) supports two primary modes of access management:

Programmatic Access:

This involves automating the generation and rotation of temporary credentials through APIs, SDKs, or the AWS Command Line Interface (CLI). This method is ideal for environments that require dynamic access control and frequent updates, such as continuous integration systems or automated deployment pipelines. It reduces the risk associated with long-term credentials and minimizes the potential for human error.

Additionally, AWS STS offers regional endpoints to help reduce latency and address data residency requirements, enhancing the overall performance and compliance of distributed applications.

Regional endpoints (image source: AWS)

Manual Management:

Manual management requires administrators to directly assign and revoke credentials, offering granular control over access permissions. This approach is suitable for smaller or more static environments where changes are less frequent and a high level of direct oversight is necessary.

However, it increases the administrative burden and is more susceptible to human error, which can lead to security vulnerabilities.

What actions does the AWS STS API support?

The STS API supports the following actions:

AssumeRole: Allows a user to assume a specified IAM role for a defined period, obtaining temporary credentials to access AWS services.

AssumeRoleWithSAML: Enables a user to assume an IAM role through the authentication of a SAML assertion, providing temporary credentials.

AssumeRoleWithWebIdentity: Permits a user to assume an IAM role based on authentication by a web identity provider like Google or Facebook.

DecodeAuthorizationMessage: Decodes an error message that is encoded when the request for authorization is denied, making it readable.

GetAccessKeyInfo: Returns details about the access key ID used in the request to help determine the associated AWS account.

GetCallerIdentity: Retrieves details about the IAM user or role making the request, including AWS account ID, user ID, and ARN.

GetFederationToken: Issues temporary credentials for federated users with a specified policy and duration, suitable for creating mobile and web application users.

GetSessionToken: Provides a temporary session token for users and roles to make secure API requests, useful for enhancing the security of CLI or SDK calls.

What services integrate with AWS STS?

AWS Security Token Service (STS) integrates broadly across the AWS platform, enabling enhanced security management for various services. A few examples include:

AWS IAM (Identity and Access Management): Directly tied with STS, IAM uses it to grant temporary access and assume roles across AWS services.

Amazon S3 (Simple Storage Service): Use STS for fine-grained access control to S3 buckets and objects through temporary credentials.

Amazon EC2 (Elastic Compute Cloud): Utilize STS for launching EC2 instances with assigned roles that grant them specific permissions.

AWS Lambda: Configure Lambda functions to access other AWS resources using temporary credentials provided by STS.

Amazon RDS (Relational Database Service): Manage database access securely by using STS with IAM roles for RDS instances.

AWS STS vs AWS Cognito

AWS Cognito and AWS Security Token Service (STS) both facilitate secure access management but Cognito is user-centric, focusing on application-level user identity, whereas STS is resource-centric, managing access to AWS resources.

AWS Cognito primarily focuses on user authentication and identity management for mobile and web applications. It provides user sign-up, sign-in, and access control features, integrating directly with external identity providers via social identity providers like Google, Facebook, and Amazon, or corporate directories via SAML. In contrast, AWS STS is utilized for granting temporary, limited-privilege credentials for AWS resources.

How does AWS STS pricing work?

There is no cost involved in using AWS STS.

Reduce your AWS costs with nOps

If you’re looking to optimize your AWS costs, nOps makes it easy and painless for engineers to take action on cloud cost optimization.

The nOps all-in-one cloud platform features include:

Business Contexts: Understand and allocate 100% of your AWS bill down to the container level

Compute Copilot: Intelligent provisioner that helps you save with Spot discounts to reduce On-Demand costs by up to 90%

Commitment management: Automatic life-cycle management of your EC2/RDS/EKS commitments with risk-free guarantee

Storage migration: One-Click EBS volume migration

Rightsizing: EC2 instance rightsizing and Auto Scaling Groups rightsizing

Resource Scheduling: Automatically schedule and pause idle resources

nOps was recently ranked #1 with five stars in G2’s cloud cost management category, and we optimize $1.5+ billion in cloud spend for our customers.

Join our customers using nOps to understand your cloud costs and leverage automation with complete confidence by booking a demo today!