What is AWS STS – Security Token Service?

The AWS Security Token Service (STS) is a facility that allows users to request temporary credentials with limited privileges. It enables controlled short-term access to sensitive resources in an AWS account without the need for dedicated IAM identities. STS is ideal when you must briefly interact with sensitive resources but don't want to set up a dedicated IAM identity. The service generates dynamic, non-stored credentials that have a limited lifespan, typically ranging from minutes to hours, with a maximum of 36 hours. STS complements Identity and Access Management (IAM) roles by allowing authorized users to assume these privileged roles on an as-needed basis. This maintains security by enabling minimal sets of privileges to be persisted against user accounts. STS is central to several different AWS authorization flows, including short-lived access to privileged AWS resources, accessing AWS within applications, identity federation scenarios, and cross-account and delegated access. The service works through a five-step process: creating the role, configuring a trust policy for the target user and role, requesting to assume the role, dynamically generating new credentials, and calling the AWS API with temporary credentials.