STS

Question 1

What is STS?

Answer 1

Security Token Service is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)

Question 2

What is the STS token valid time?

Answer 2

from 15 minutes and up to 1 hour, but can be refreshed

Question 3

What are most important STS API operations?

Answer 3

• AssumeRole
• AssumeRoleWithSAML
• AssumeRoleWithWebIdentity
• GetSessionToken
• GetFederationToken
• GetCallerIdentity
• DecodeAuthorizationMessage

Question 4

What is STS AssumeRole operation?

Answer 4

• Within your own account: for enhanced security

* Cross Account Access: assume role in target account to perform actions there

Question 5

What is STS AssumeRoleWithSAML operation?

Answer 5

return credentials for users logged with SAML

Question 6

What is STS AssumeRoleWithWebIdentity operation?

Answer 6

• return creds for users logged with an IdP (Facebook Login, Google Login, OIDC compatible…)
• AWS recommends against using this, and using Cognito instead

Question 7

What is STS GetSessionToken operation?

Answer 7

for MFA, from a user or AWS account root user

Question 8

How does work STS to Assume a Role?

Answer 8

1- Define an IAM Role within your account or cross-account
2- Define which principals can access this IAM Role
3- Use STS to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API)

Question 9

What is STS GetFederationToken operation?

Answer 9

obtain temporary creds for a federated user

Question 10

What is STS GetCallerIdentity operation?

Answer 10

return details about the IAM user or role used in the API call

Question 11

What is STS DecodeAuthorizationMessage operation?

Answer 11

decode error message when an AWS API is denied

Question 12

When you must use STS GetSessionToken API?

Answer 12

When the policy includes a condition saying aws:MultiFactorAuthPresent:true