AWS STS (Security Token Service)

5 minutes 5 Questions

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate through federation. These temporary credentials consist of an access key ID, a secret access k…

AWS STS (Security Token Service) - Complete Guide

Why AWS STS is Important

AWS Security Token Service (STS) is a critical component of AWS security architecture. It enables you to request temporary, limited-privilege credentials for IAM users or federated users. Understanding STS is essential for the AWS Developer Associate exam because it underpins secure access patterns, cross-account access, and identity federation scenarios that developers encounter regularly.

What is AWS STS?

AWS STS is a web service that enables you to request temporary security credentials for AWS resources. These credentials consist of:

• Access Key ID - Identifies the temporary credentials
• Secret Access Key - Used to sign requests
• Session Token - Must be included with requests
• Expiration - Timestamp when credentials expire

Temporary credentials are valid for a configurable duration, typically from 15 minutes to 12 hours depending on the API call used.

How AWS STS Works

Key STS API Actions:

AssumeRole
• Allows IAM users to assume a role in the same or different AWS account
• Used for cross-account access
• Returns temporary credentials with permissions defined by the role
• Default duration: 1 hour (configurable up to 12 hours)

AssumeRoleWithSAML
• Used for users authenticated via SAML 2.0 identity provider
• Enables enterprise single sign-on (SSO)
• Maps SAML assertions to IAM roles

AssumeRoleWithWebIdentity
• Used for users authenticated via web identity providers (Google, Facebook, Amazon, or any OpenID Connect provider)
• Note: AWS recommends using Amazon Cognito instead for mobile applications

GetSessionToken
• Used for MFA authentication
• Returns temporary credentials for IAM users
• Useful when MFA is required for API calls

GetFederationToken
• Used by identity brokers to obtain temporary credentials for federated users
• Longer duration possible (up to 36 hours)

Common Use Cases

1. Cross-Account Access - Allow users in one AWS account to access resources in another account

2. Identity Federation - Allow corporate users to access AWS using existing credentials

3. Mobile Applications - Provide temporary access to AWS resources for mobile app users

4. EC2 Instance Roles - STS provides credentials to applications running on EC2 instances

5. MFA-Protected API Access - Require MFA before allowing sensitive operations

STS and IAM Roles

When a principal assumes a role:
• Original permissions are replaced by role permissions
• Temporary credentials are issued
• The trust policy determines who can assume the role
• The permissions policy determines what actions are allowed

Regional Endpoints

STS is a global service but has regional endpoints. Using regional endpoints:
• Reduces latency
• Builds redundancy
• Must be activated in IAM console for regions other than us-east-1

Exam Tips: Answering Questions on AWS STS

Key Points to Remember:

1. Temporary credentials are always preferred over long-term access keys for security best practices

2. AssumeRole is the answer when the question mentions cross-account access or switching roles

3. AssumeRoleWithWebIdentity appears in questions about web/mobile authentication, but remember AWS recommends Cognito for mobile apps

4. AssumeRoleWithSAML is correct for enterprise SSO and Active Directory federation scenarios

5. GetSessionToken is the answer when MFA is involved with IAM user API calls

6. When credentials expire, the application must call STS again to get new credentials

7. Session duration limits:
• AssumeRole: 15 minutes to 12 hours
• AssumeRoleWithSAML/WebIdentity: 15 minutes to 12 hours
• GetSessionToken: 15 minutes to 36 hours
• GetFederationToken: 15 minutes to 36 hours

8. The sts:ExternalId condition is used to prevent the confused deputy problem in cross-account scenarios

9. Revoking sessions: You can revoke active sessions by adding a deny policy with a date condition

10. Trust Policy vs Permissions Policy: Trust policy controls WHO can assume the role; Permissions policy controls WHAT they can do

Common Exam Scenarios:

• Application needs temporary access to S3 from mobile app → Cognito with STS
• Corporate users need AWS Console access using AD credentials → SAML Federation with AssumeRoleWithSAML
• Lambda in Account A needs to access DynamoDB in Account B → AssumeRole with cross-account role
• API call requires MFA verification → GetSessionToken

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

🎓 Unlock Premium Access

AWS Certified Developer - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
6570 Superior-grade AWS Certified Developer - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
DVA-C02: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More AWS STS (Security Token Service) questions

30 questions (total)

Start 30 question test