██FR█████ █INTELL███████████

AWS Security Token Service STS and usage


This content originally appeared on DEV Community and was authored by Wakeup Flower

What is AWS Security Token Service (AWS STS)?

AWS STS is a service that issues temporary security credentials so you can access AWS resources without long-term credentials (like IAM user access keys).

Think of it as a short-lived “key” generator for AWS.

Key uses of AWS STS

  1. Temporary access for IAM users or roles
  • Example: You don’t want to give a user permanent access keys → you use STS to give them credentials that expire automatically (minutes to hours).
  1. Cross‑account access
  • Example: Account A needs to access resources in Account B. → You use STS to assume a role in Account B temporarily.
  1. Federated access
  • Example: Your company uses an existing identity provider (like Active Directory, Okta, Google). → STS gives temporary AWS credentials for those users without creating IAM users.
  1. Mobile or browser-based apps
  • Example: An app needs temporary AWS access without embedding permanent credentials. → Use STS with Amazon Cognito.

How AWS STS works (simple flow):

  1. You request temporary credentials using an STS API call (like AssumeRole or GetSessionToken).
  2. STS returns:
  • Access key ID
  • Secret access key
  • Session token
  • Expiration time
    1. You use these credentials to access AWS services until they expire.

Example real-world analogy

Think of AWS STS like a hotel front desk:

  • You check in → they give you a key card that works for a limited time.
  • When your stay ends → the key card stops working.
  • You don’t need a permanent key for the hotel.

Ah 😄 — you want AWS STS exam context for the AWS Solutions Architect Associate (SAA) exam.

Here’s the straight answer: in the SAA exam, STS usually appears in scenarios involving temporary access, cross-account access, or federated access.

Common AWS STS use cases in the SAA exam

1. Cross‑Account Access

  • Scenario: You have two AWS accounts (e.g., Prod and Dev) and want to let a role in one account access resources in another without sharing credentials.
  • STS solution: Use AssumeRole so a role in one account temporarily assumes a role in the other account.

2. Temporary Access for Security

  • Scenario: You want to avoid using permanent IAM access keys for users or applications to improve security.
  • STS solution: Use STS to give temporary credentials that expire quickly, reducing the risk of leaked credentials.

Example:

“A company wants developers to access AWS for only 1 hour during a project.” → Use AssumeRole with STS.

3. Federated Access

  • Scenario: Users log in with corporate credentials (Active Directory, Google Workspace, etc.) and need AWS access without IAM user creation.
  • STS solution: Use STS with identity federation to issue temporary credentials.

Example:

“A company uses single sign-on (SSO) for AWS access.” → STS is the backend that issues temporary keys after SSO authentication.

4. Mobile or Web Applications

  • Scenario: An application running on a mobile device needs AWS access without embedding long-term keys.
  • STS solution: Use Cognito with STS to provide temporary credentials.


This content originally appeared on DEV Community and was authored by Wakeup Flower