Skip to main content
HashnodeAmitabh Soni

Command Palette

Search for a command to run...

AWS STS: Secure Temporary Credentials

Updated
3 min read
AWS STS: Secure Temporary Credentials
A
Amitabh soni

The "Hall Pass" of the Cloud: Understanding AWS STS

If you’ve spent any time in AWS, you’ve seen the term STS (Security Token Service). It sounds like a boring background process, but it is actually the secret sauce that keeps professional AWS environments secure.

Many people get confused: "If I already have my IAM Access Keys, why do I need STS?"

The answer lies in the difference between who you are and what you are allowed to do right now.

The Analogy: The ATM Card vs. The Transaction

Think of your IAM Access Keys (Long-term) as your ATM Card. You keep it in your wallet for years. It represents your identity at the bank.

AWS STS is the Transaction Receipt/PIN check. Even if you have the card, the bank doesn’t let you walk into the vault. Instead, they give you a temporary "session" to perform one specific task.

In AWS, your long-term keys are used to ask STS for a Temporary Session. This session is like a "Hall Pass" - it has a countdown timer (usually 1 hour). When the timer hits zero, the pass becomes useless paper.

Why "Temporary" is Better Than "Permanent"

You might think, "If my session expires, I just use my keys to get a new one. What’s the point?" The point is Force-Multiplying Security:

  1. The MFA Checkpoint: You can set a rule that says: "To get an STS session, you must provide an MFA code." Now, if a hacker steals your permanent keys, they are stuck. They can’t start a session because they don't have your phone.

  2. The "Kill Switch": If an admin suspects your account is compromised, they can Revoke all active sessions in one click. Even if you have the permanent keys, STS will refuse to give you a new session.

  3. Cross-Account Access: STS allows you to jump from a "Dev" account to a "Prod" account without needing a separate username and password for both. You "Assume a Role," do the work, and the access automatically vanishes after an hour.

  4. Least Privilege: Your permanent user can have zero permissions. You only gain power when you request an STS session for a specific IAM Role. If your laptop is stolen while you're at lunch, the thief only has access to a "powerless" user once the session expires.

The Bottom Line

STS turns your static, dangerous permanent keys into dynamic, short-lived permissions. It ensures that every hour (or however long the admin defines), AWS stops and asks: "Are you still who you say you are? And are you still allowed to do this?"

It’s not an inconvenience; it’s a heartbeat check for your cloud security.

Happy Learning!
Amitabh Soni

#aws#iam#sts#devops#developer#cloud-computing#tech#technology#session

More from this blog

Amitabh Soni

90 posts