Enhancing AWS Security with Temporary Credentials from AWS STS

Introduction

AWS Security Token Service (STS) is a key component of AWS security that provides temporary, limited-privilege credentials to users and applications. Instead of using long-term credentials, which can pose security risks if exposed, STS generates temporary credentials that expire after a set duration. This reduces the attack surface and improves security, making it an essential tool for managing access across AWS accounts and services.

Whether you are working with cross-account access, federated authentication, or automated workflows, AWS STS ensures that access is granted securely and efficiently. In this blog, we’ll explore how STS works, its key use cases, and best practices for implementing it in your AWS environment.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Why Use AWS STS?

Enhanced Security: Temporary credentials minimize exposure as they expire automatically.
Cross-Account Access: Users from one AWS account can securely access resources in another.
Federated Authentication: Enables integration with identity providers (IdPs) like Active Directory, Google, and Okta.
Least Privilege Principle: Credentials grant only the permissions required for a task.

How AWS STS Works?

AWS STS issues temporary credentials that consist of:

Access Key ID
Secret Access Key
Session Token

These credentials are valid for a configurable duration (from a few minutes up to 12 hours) and automatically expire after that period.

sts

Key AWS STS API Actions

AssumeRole – Grants temporary credentials based on an AWS IAM role.
GetSessionToken – Issues temporary credentials for AWS IAM users with MFA (Multi-Factor Authentication).
AssumeRoleWithSAML – Allows federated users authenticated via SAML to assume roles.
AssumeRoleWithWebIdentity – Enables users to authenticate through external IdPs (Google, Facebook, etc.).
GetFederationToken – Provides temporary credentials for users authenticated with an external IdP.

Using AssumeRole with AWS CLI

sts2

Output:

sts3

You can then set these credentials as environment variables to use them in AWS CLI or SDK:

sts4

Real-World Use Cases for AWS STS

Cross-Account Access

Many organizations use multiple AWS accounts for different teams or projects. AWS STS allows users from one account to securely access resources in another without needing long-term credentials.

Federated Identity Management

AWS STS supports identity federation, allowing users to log in with their existing corporate credentials (e.g., Active Directory, Okta, Google Workspace) and access AWS resources without creating separate IAM users.

Temporary Access for Applications

Applications running outside AWS, such as on-premises servers or mobile devices, can dynamically use AWS STS to request temporary credentials. This ensures secure access without storing long-term keys in configuration files.

Secure CI/CD Pipelines

DevOps teams can use AWS STS to provide temporary credentials for CI/CD pipelines. Instead of storing static AWS credentials in configuration files, pipelines can dynamically assume a role and obtain short-lived credentials.

sts5

Best Practices for Using AWS STS

Use Short-lived Credentials: Set the expiration time to the minimum required for the task.
Enable MFA for Extra Security: Require MFA when using GetSessionToken to add an extra layer of protection.
Restrict Role Assumption: Use IAM policies to define which users or applications can assume roles.
Monitor and Audit STS Usage: Use AWS CloudTrail to track STS API calls and detect unusual activity.
Rotate Roles Regularly: Review and update AWS IAM roles periodically to minimize security risks.
Leverage AWS IAM Conditions: Use conditions in AWS IAM policies to restrict access based on IP addresses, device trust levels, or time of day.

Conclusion

AWS Security Token Service (STS) is a powerful and essential service for managing secure, temporary access to AWS resources.

It plays a crucial role in enhancing security, enabling cross-account access, integrating with identity providers, and securing applications by providing temporary credentials instead of long-term static ones.

By leveraging AWS STS, organizations can enforce security best practices while maintaining operational flexibility. It helps reduce the risks associated with long-lived credentials, simplifies permission management, and ensures that users and applications have only the necessary access for a limited duration. Whether you’re implementing federated authentication, enabling secure access across multiple AWS accounts, or managing temporary credentials for applications, STS is a key component of a well-architected security strategy in AWS.

If you’re working with AWS Identity and Access Management (IAM) and haven’t explored STS, now is the perfect time to start. It’s a game-changer in authentication and authorization management, helping you streamline access control, improve security posture, and minimize cloud credentials exposure. By adopting STS, you can enhance security, reduce operational risks, and simplify identity and access management (IAM) across your AWS environment.

Drop a query if you have any questions regarding AWS STS and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS and many more.

FAQs

1. Why use AWS STS?

ANS: – AWS STS allows temporary access to AWS resources, reducing long-term credential risks and enabling cross-account access securely.

2. How long do AWS STS credentials last?

ANS: – Temporary credentials last between 15 minutes to 12 hours, depending on the service and session duration settings.

WRITTEN BY Sidharth Karichery

Sidharth works as a Research Intern at CloudThat in the Tech Consulting Team. He is a Computer Science Engineering graduate. Sidharth is highly passionate about the field of Cloud and Data Science.