AWS STS - Security Token Service

• Alternative to AWS SDKs
• Regional endpoint and global endpoint both avaiable
• automatically enabled
• support aws colud trail → audio pocliecs , 90일 보관?

STS to Assume a role

• define which principals can access this IAM Role
• temporary crendtials valid 15 min ~ 12 hour
• AssumeRoleAPI
  • access to account that you own
    • doing this wit the AWS Management Console, CLI, API
    • MFA Available
  • access to accounts owned by third parties
    • use IAM Access Analyzer to find out which resources are exposed
    • AN External ID(ONLY between you and third party)
      • without it the user can not distinguish its request from AWS or other else.
  • access services offered by AWS to AWS resources
  • access for externally authenticated users

Session Tags in STS

• pass when you assume an IAM role or federate user in STS
• aws:PrintcipalTag Condition
  • “StringEquals” { “aws:PrincipalTag/Department”:”hr”}

STS Importat APIs

• AssumeRole : access a role within your account of cross-account
• AssumeRoleWIthSAML
• AssumeRoleWithWebidentity → recommended Conginto instead
• GetSessionToken : for MFA
• GetFederationToken :proxy app distribute credit inside network