Enhancing AWS Security with Temporary Credentials from AWS STS

Introduction

AWS Security Token Service (STS) is a key component of AWS security that provides temporary, limited-privilege credentials to users and applications. Instead of using long-term credentials, which can pose security risks if exposed, STS generates temporary credentials that expire after a set duration. This reduces the attack surface and improves security, making it an essential tool for managing access across AWS accounts and services.

Whether you are working with cross-account access, federated authentication, or automated workflows, AWS STS ensures that access is granted securely and efficiently. In this blog, we’ll explore how STS works, its key use cases, and best practices for implementing it in your AWS environment.

Why Use AWS STS?

1. Enhanced Security: Temporary credentials minimize exposure as they expire automatically.
2. Cross-Account Access: Users from one AWS account can securely access resources in another.
3. Federated Authentication: Enables integration with identity providers (IdPs) like Active Directory, Google, and Okta.
4. Least Privilege Principle: Credentials grant only the permissions required for a task.

How AWS STS Works?

AWS STS issues temporary credentials that consist of:

• Access Key ID
• Secret Access Key
• Session Token

These credentials are valid for a configurable duration (from a few minutes up to 12 hours) and automatically expire after that period.

Key AWS STS API Actions

1. AssumeRole – Grants temporary credentials based on an AWS IAM role.
2. GetSessionToken – Issues temporary credentials for AWS IAM users with MFA (Multi-Factor Authentication).
3. AssumeRoleWithSAML – Allows federated users authenticated via SAML to assume roles.
4. AssumeRoleWithWebIdentity – Enables users to authenticate through external IdPs (Google, Facebook, etc.).
5. GetFederationToken – Provides temporary credentials for users authenticated with an external IdP.

Using AssumeRole with AWS CLI

Output:

You can then set these credentials as environment variables to use them in AWS CLI or SDK:

Real-World Use Cases for AWS STS

Cross-Account Access

Many organizations use multiple AWS accounts for different teams or projects. AWS STS allows users from one account to securely access resources in another without needing long-term credentials.

Federated Identity Management

AWS STS supports identity federation, allowing users to log in with their existing corporate credentials (e.g., Active Directory, Okta, Google Workspace) and access AWS resources without creating separate IAM users.

Temporary Access for Applications

Applications running outside AWS, such as on-premises servers or mobile devices, can dynamically use AWS STS to request temporary credentials. This ensures secure access without storing long-term keys in configuration files.

Secure CI/CD Pipelines

DevOps teams can use AWS STS to provide temporary credentials for CI/CD pipelines. Instead of storing static AWS credentials in configuration files, pipelines can dynamically assume a role and obtain short-lived credentials.

Best Practices for Using AWS STS

• Use Short-lived Credentials: Set the expiration time to the minimum required for the task.
• Enable MFA for Extra Security: Require MFA when using GetSessionToken to add an extra layer of protection.
• Restrict Role Assumption: Use IAM policies to define which users or applications can assume roles.
• Monitor and Audit STS Usage: Use AWS CloudTrail to track STS API calls and detect unusual activity.
• Rotate Roles Regularly: Review and update AWS IAM roles periodically to minimize security risks.
• Leverage AWS IAM Conditions: Use conditions in AWS IAM policies to restrict access based on IP addresses, device trust levels, or time of day.

Conclusion

AWS Security Token Service (STS) is a powerful and essential service for managing secure, temporary access to AWS resources.

By leveraging AWS STS, organizations can enforce security best practices while maintaining operational flexibility. It helps reduce the risks associated with long-lived credentials, simplifies permission management, and ensures that users and applications have only the necessary access for a limited duration. Whether you’re implementing federated authentication, enabling secure access across multiple AWS accounts, or managing temporary credentials for applications, STS is a key component of a well-architected security strategy in AWS.

If you’re working with AWS Identity and Access Management (IAM) and haven’t explored STS, now is the perfect time to start. It’s a game-changer in authentication and authorization management, helping you streamline access control, improve security posture, and minimize cloud credentials exposure. By adopting STS, you can enhance security, reduce operational risks, and simplify identity and access management (IAM) across your AWS environment.

Drop a query if you have any questions regarding AWS STS and we will get back to you quickly.

About CloudThat