Simple Notification Service (SNS)
Kinesis + MQ
Databases & Analytics
Security Token Service (STS)
  • STS is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).
  • By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours.
    • But you can request a duration as short as 15 minutes or as long as 36 hours using the DurationSeconds parameter.

AssumeRole

  • Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
  • Typically, you use AssumeRole within your account or for cross-account access.

AssumeRoleWithSAML

  • Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.
  • This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.

AssumeRoleWithWebIdentity

  • Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.
    • Example providers include Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
  • For mobile applications, AWS recommend that you use Amazon Cognito.

GetSessionToken

  • Returns a set of temporary credentials for an AWS account or IAM user for users who want to use MFA to protect programmatic calls to specific AWS API operations.
  • MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device.
  • Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication.
Last modified 10mo ago