STS
| Owner | |
|---|---|
| Verification | |
| Tags | |
| Last edited time |
STS
Provides the ability to assume a role , provides temporary credentials and identity federation
(15m - 12h) using the AssumeRole API
Ability to revoke active sessions and credentials for a role using theAWSRevokeOlderSessions
💡
When you assume a role you give up your original permissions and take the one of the role
“Zone of trust” includes accounts that you own, out side the “zone of trust” = 3rd party entity
👩🏻🍳
use IAM Access Analyzer to find exposed resources
To provide access to 3rd party entity - need to define an External ID and define permissions using IAM policy
Session tags - to limit who can assume the role based on specific tags (dependent)
STS API’s:
-
AssumeRole- access a role within or cross account
AssumeRoleWithSAML- for users logged with SAML federation
AssumeRoleWithWebIdentity- FB, Google - recommended to use Cognito
GetSessionToken- for MFA
GetFederationToken- temp credentials for federated user