Understanding AWS Security Token Service: An Overview of AWS STS

Introduction

As organizations continue to move their operations to the cloud, security has become a top priority. To ensure the safety of their data and applications, companies are turning to services like the AWS Security Token Service (STS). AWS STS provides temporary security credentials to grant access to AWS resources for authenticated users without the need for creating new AWS identities or login credentials.

AWS Security Courses for Your Team

AWS Security Essentials

Security Engineering on AWS

AWS Security Governance At Scale

 

In this blog, we'll provide an overview of AWS STS and its benefits, as well as explore how it helps organizations enhance their security posture in the cloud.  

What is AWS Security Token Service (AWS STS)?

AWS Security Token Service (STS) is a web service that allows IAM users and trusted users to request temporary security credentials for accessing AWS resources. These temporary credentials are used to authenticate users and allow them to access AWS resources for a limited time period, typically up to an hour. 

AWS STS can be accessed through various methods, such as the AWS Management Console, AWS SDKs, AWS CLI, and AWS API requests. This service offers an additional layer of security for AWS resources by enabling temporary credentials, which are valid for a limited time period. This ensures that access to AWS resources is restricted to authorized users only, thereby preventing unauthorized access and improving the overall security of AWS resources. 

The temporary security credentials provided by AWS STS work similarly to regular credentials allocated to IAM users, with the key difference being that the temporary credentials are short-term, while the regular credentials are long-term.  

What is AWS STS used for and STS token work?

When it comes to the management of security and access across large enterprise networks, AWS STS is an indispensable tool. Here are some of the uses of AWS STS and how it works: 

Identity Federation

Enterprise identity federation enables the use of AWS STS to authorize access to AWS resources for verified users within your corporate network. This eliminates the need to generate fresh AWS identities or mandate additional login details. External web identities can be authenticated through third-party online identity managers such as Google, Facebook, Amazon, or other compatible services. By implementing web identity federation, there is no longer a requirement to disseminate security credentials for extended AWS resource access. 

EC2 Instance STS Credentials

If your applications are running on an EC2 instance and require access to AWS resources, you can use AWS STS to grant temporary access credentials. By associating the EC2 instance with an IAM role, the app can request credentials that will be available to all apps hosted on the instance. This implies that there is no longer a need to store any permanent security credentials in the instance. 

Cross-Account Access using AWS STS

Many companies maintain multiple AWS accounts and use cross-account roles and IAM identities to allow users using one account to access the resources from another. AWS STS enables the delegation of permissions to an IAM user who can use it to request temporary access using AWS STS's temporary credentials. When applications send API requests to the AWS STS endpoint, STS generates credentials on-demand in response to each request. The credentials issued have a predetermined expiration time, but if authorized, users can request fresh credentials before their expiration .

AWS STS Example

With AWS STS, you can secure your AWS resources and control access to them. Here are a few examples of how AWS STS can be used in the real world: 

Transfer of Power

In some cases, web applications are built by external professionals rather than internal teams. Once the project is complete, these external parties will often hand over control of the application to the business. However, this transfer of ownership can be risky if proper precautions are not taken. AWS STS can be used in such cases to make sure that access to the application is granted in a secure and controlled manner. By using AWS STS, the business can modify the access credentials as they see fit, ensuring the highest level of security for their property. 

Threats of Corporate Espionage 

Corporate espionage is a very real threat in today's business environment, and securing sensitive information is a top priority for many organizations. AWS STS can be used in these cases to limit access to top-level executives, ensuring that only those who truly need access are able to access the information. By using AWS STS, businesses can easily track who has accessed the information, when, and from where. This can help quickly identify any security breaches and take action to mitigate the damage. 

These are a few examples of how AWS STS can be used to secure your AWS resources. To learn more about AWS cloud security and gain the skills needed to innovate with confidence, consider checking out "Build the AWS Cloud Security Skills to Innovate with Confidence," a free e-book from NetCom Learning for business decision-makers and individual professionals. 

By using AWS STS, you don't have to embed security tokens within your code anymore, which means that expired credentials cannot be reused, making your resources more secure. The lifecycle for the STS token can be determined by the user and can last anywhere between 15 minutes to 36 hours, providing flexibility and control over your access management. 

How do I enable AWS security token service?

Enabling the AWS Security Token Service (STS) is a straightforward process that can be done through the AWS IAM console. Before you get started, make sure you're signed in as a user with IAM administrative privileges or a root user. 

If you want to activate AWS STS in a Region that is enabled by default, simply follow these steps: 

• Open the IAM console and select "Account settings" from the navigation pane. 
• In the "Security Token Service (STS) section Endpoints," locate the Region you want to configure and select "Active" or "Inactive" in the STS status column. 
• A dialog box will appear. Choose "Activate" or "Deactivate" as per your requirement. 

For Regions that require enabling, AWS STS is activated automatically when you enable the Region. After you have enabled a Region, AWS STS remains active for that Region and cannot be deactivated. To learn more about enabling a Region, refer to the AWS General Reference guide on managing AWS Regions. 

How is it going to help organizations?

AWS Security Token Service (STS) is a powerful tool that helps organizations grant temporary, limited access to their AWS resources. By issuing short-lived security credentials, STS makes it easier to delegate access and ensure the security of sensitive data and applications. 

One of the key benefits of STS is that it simplifies access delegation through IAM roles. Rather than distributing long-term access keys to external parties or embedding them in applications, STS allows users to request temporary credentials on an as-needed basis. These credentials can be issued dynamically and expire after a short period of time, reducing the risk of unauthorized access and ensuring the security of sensitive resources. 

STS also helps AWS resource owners follow best practices in IAM by facilitating regular access key rotation. By automatically rotating keys on a regular basis, STS helps organizations keep their resources secure and minimize the risk of key compromise. 

In addition to its security benefits, STS can also help organizations improve their compliance posture by enabling more granular access controls and audit logging. With STS, organizations can easily track and audit access to their resources, making it easier to identify and address security issues. 

To help organizations take advantage of STS and other AWS security features, NetCom Learning offers a range of certification courses. The Security Engineering On AWS course provides a comprehensive overview of AWS security best practices, while the AWS Certified Security - Specialty certification validates technical skills and expertise in securing and hardening workloads on the AWS platform.