STS Flashcards
This deck aims to help retain concepts related to the STS service.
Which AWS service allows users to request temporary, limited-privilege credentials?
AWS Security Token Service (STS)
What is the primary functionality of AWS STS?
To generate temporary credentials when the sts:AssumeRole* operation is used
What pieces of credentials does AWS STS provide?
- AccessKeyID
- SecretAccessKey
- SessionToken (required for requests)
- Expiration (the date when credentials expire)
What are the credentials generated by AWS STS used for?
To temporarily access AWS resources
Do AWS STS credentials belong to the identity that uses them?
No, these credentials do not belong to the identity and have a configurable expiration period ranging from 15 minutes to a maximum of 12 hours
Who can request credentials using AWS STS?
Any identity (AWS or external) that has permissions for sts:AssumeRole* and is defined as a principal in the role’s trust policy
What permissions can an identity gain by generating credentials with AWS STS?
The permissions that are defined in the role’s permissions policy
How can an identity refresh the expired credentials provided by AWS STS?
By performing another sts:AssumeRole* operation to generate new credentials
