AWS STS
Explore how AWS Security Token Service (STS) enables you to request temporary security credentials with limited permissions, allowing secure and controlled access to AWS resources. Understand common use cases such as cross-account access, federated access, and role assumption. Learn how to create and assume roles using STS APIs and apply these concepts through practical examples that show temporary credential usage and access control within AWS environments.
We'll cover the following...
Security Token Service
AWS Security Token Service (STS) lets users request temporary security credentials providing limited-access permissions for AWS resources. These short-term credentials can grant access to specific AWS services and resources in our account without exposing long-term account credentials.
STS lets us delegate access in a more controlled and secure way because the tokens expire within a designated time frame. The temporary tokens can be configured with customized permissions as well, only allowing the permissions and resource access necessary for the designated user or application.
By default, STS is a global service, and all STS requests go to a single endpoint at https://sts.amazonaws.com, which maps AWS servers in the us-east-1 region located in northern Virginia. However, using regional STS endpoints is recommended to reduce latency, build redundancy, and increase session token validity. Regional endpoints allow STS requests to be handled by infrastructure local to that region for better performance. They also provide fault tolerance in case the global endpoint is unavailable.
Points to note: ...