AWS always quotes, “Security Is the Most Important Thing For Us” and they mean it! AWS has the advantage of being able to meet the needs of security-sensitive organisations using its network architecture, data centers, and outstanding security services.
Table of Contents Show
AWS Identity and Access Management (IAM) is the core security service that allows users to access AWS resources. AWS Identity and Access Management manage authentication and control AWS users.
Two authentication methods are widely used in the IT industry. These are sessions and tokens. Token-based authentication generates one encryption token. This token can be used to authenticate users.
AWS recommends that you use temporary credentials instead of long-term credentials. For example, you can create an IAM account and generate credentials that will be stored with the user. This is different from temporary credentials, which are dynamically created when the user requests them. These credentials are only valid for a maximum of 36 hours. They can’t be used for authentication of any request to AWS once they expire. So, you can use temporary credentials.
But how can a user request temporary credentials? This is where AWS STS comes in.
AWS Security Token Service, or AWS STS, is the AWS service that provides temporary credentials for those who assume roles. This service allows users to request temporary credentials from IAM or federated accounts. This token is used to generate a short-lived token, and you can then use the AWS STS token for access to AWS resources.
What is AWS Security Token Service STS?
AWS Security Token Service is an AWS service that allows temporary security credentials to be requested for your AWS resources. It can be used for IAM-authenticated users or users that are authenticated by AWS, such as federated users. AWS STS can be integrated with AWS IAM, which is AWS’ Identity and Access Management service. It can be used as both a global and regional service.
STS grants trusted users temporary access to resources via an API call, your AWS console, or the AWS command-line interface (CLI).
Temporary security credentials function the same as regular long-term security access key credentials that are allocated to AWS IAM users, but the access credentials’ life cycle is shorter.
By default, AWS STS is available as a global service, and all the STS requests are sent to the global endpoint at https://sts.amazonaws.com. Global requests map to the US East Region (N. Virginia). AWS also allows us to send STS requests to any AWS region we choose. AWS actually recommends that you use the Regional AWS STS endpoints instead of the global.
Why do we use STS?
Temporary credentials with AWS STS are more beneficial than long-term credentials:
- Users can access AWS resources without needing to create an AWS identity. Temporary credentials can be used to establish roles or identity federation.
- It is unnecessary to embed or distribute long-term AWS security credentials in an application.
- Temporary security credentials are only valid for a short time, so they can be rotated if they are not needed anymore. They cannot be reused after temporary security credentials have expired. You can specify the maximum time that credentials will be valid.
How does AWS STS Works?
By default, the AWS Security Token Service (AWS STS) is used as a global service, and all AWS STS requests go to one endpoint – https://sts.amazonaws.com. AWS recommends that you use the Regional AWS STS endpoints rather than the global ones to reduce latency and redundancy as well as increase the validity of your session tokens.
AWS STS issues temporary credentials when you activate STS endpoints in a region. This is done to ensure that users and roles within your account can make AWS STS requests.
These credentials can be used in any region that has been enabled automatically or manually. The Region must be activated in the account that generated the temporary credentials. It doesn’t matter if the user is signed-in to the same account as the requester or another account.
Now, below are three simple steps to get temporary credentials with AWS STS:
- You can activate a region (this is optional)
- Use AWS STS to get temporary credentials
- Finally, access AWS resources using the temporary credentials generated by AWS STS
Since activating a region is optional, I will use AWS STS to get temporary credentials directly.
Use AWS STS to get temporary credentials
Create an AWSSecurityTokenServiceClient object:
AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder().standard().withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("sts-endpoint.amazonaws.com", "signing-region")).build()
Next, you need to create a GetSessionTokenRequest object and you can set the duration for which the temporary credentials will be valid and usable.
GetSessionTokenRequest session_token_request = new GetSessionTokenRequest();
session_token_request.setDurationSeconds(3600); //valid for 1 hour (3600 seconds)
Access AWS resources using the temporary credentials generated by AWS STS
Once the credentials are generated, you can use them to access AWS resources. Let’s use temporary service credentials to create an S3 client:
BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
session_creds.getAccessKeyId(),
session_creds.getSecretAccessKey(),
session_creds.getSessionToken());
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(sessionCredentials))
.build();
Now, this will allow us to make Amazon S3 requests by using AmazonS3 objects.
So, that’s how AWS STS works.
What is the difference between AWS STS and Cognito?
AWS STS and Amazon Cognito are services Amazon Web Services (AWS) offers. They allow users to authenticate and gain access to AWS resources. They serve different purposes. Cognito is the best option for creating a mobile app or syncing user data across multiple devices.
AWS STS allows you to request temporary, restricted-privilege credentials from IAM (Identity and Access Management) or users you authenticate (such as federated users).
STS is a temporary access method that allows you to gain short-term access to AWS services. With STS you can manage access to AWS resources. In STS, after a certain period the temporary credentials expires. Temporary credentials are used for temporary authentication. It is typically used to grant AWS resources access from an application or system external to the AWS server.
Amazon Cognito, on the other hand, is a service that provides authentication authorization and user management for web and mobile apps. It manages sign-ups, sign-ins, and access control for mobile and web applications.
Cognito was designed for app developers. It allows them to manage user authorization and authorization without creating and maintaining their own user management infrastructure.
AWS STS allows you to obtain temporary credentials for access control and authentication. Amazon Cognito, on the other hand, manages user access control and authentication for mobile and web applications.
What is the difference between IAM and STS?
AWS IAM (Identity and Access Management) and AWS STS (Security Token Service) are two AWS services that can be used to manage access to AWS resources. However, they serve different purposes.
You can control access to AWS resources in your organization using AWS IAM. AWS IAM allows you to create and manage users, groups and roles. You can also set permissions to restrict access to AWS resources.
IAM is used to manage permanent access where users are granted long-term access and access can be controlled by policies that can be changed at any time.
STS allows you to request temporary credentials for AWS accounts without the need to create an IAM user. These credentials can be created on-demand, so you don’t need to insert any environment variables or access keys. These credentials are temporary, and you don’t need to rotate them or remove them when they are no longer required. It supports federation, which allows you to grant AWS resources access to users not managed by your AWS account.
For example, users from a company directory or social identity provider. This allows users to log in using their existing credentials, simplifies user management, and reduces administrative overhead. You can use the temporary security credentials to securely access other AWS services such as AWS EC2, AWS S3, AWS Lambda.
So, you can use AWS IAM to manage and control long-term access to your AWS resources. And you can use AWS STS for temporary authentication and access.
What makes AWS STS more secure?
AWS STS has multiple features that makes it very secure:
- Limited lifetime: Temporary credentials of AWS STS expire after a certain period. This minimizes the possibility of unauthorised access as credentials that have expired after a specified time is invalid.
- Integration with other AWS Services: AWS STS can integrate with other AWS Services, such as Amazon S3, Amazon EC2, or AWS Lambda. This allows you to access services securely with temporary credentials without having to give permanent credentials that may be compromised.
- Federated access: AWS STS supports federation, which allows you to grant AWS resources access to users that are not part of your AWS account. This allows users to log in using their existing credentials, simplifies user management, and reduces overhead administratively.
- Granular access control: AWS STS allows you to grant temporary credentials to users and applications that can be used only for specific AWS resources or permissions. This allows you to limit access to resources only that the application or user requires.
- Auditability: AWS STS offers detailed audit logs that allow you to track access requests and temporary credentials used. This allows you to audit and monitor access to your AWS resources and detect and respond to security incidents.
How does ROSA use STS?
ROSA (Red Hat OpenShift Service on AWS) is an OpenShift managed service that uses AWS STS to allow access to AWS resources required by the OpenShift platform.
- AWS STS is used when you create a ROSA Cluster to generate temporary AWS access credentials that will be used for OpenShift. These temporary credentials allow you to access AWS resources required to deploy, scale and operate the OpenShift platform.
- ROSA uses STS for worker nodes in the OpenShift cluster to gain access to AWS resources. It creates temporary credentials that worker nodes can use to access AWS resources like Amazon EC2 instances or Amazon EBS volumes.
- ROSA uses AWS STS to allow secure and precise access to AWS resources required by OpenShift. ROSA provides security and minimizes risk by using temporary credentials that can be used to access specific resources.
What are the different “options” (credential methods) to deploy ROSA?
ROSA can be deployed using different credential methods that allow you to authenticate and authorize access to your AWS resources. The available options for deploying ROSA include:
- AWS Identity and Access Management (IAM): With this method, you can use an AWS IAM user to authenticate and authorize access to AWS resources. This option requires you to create an IAM user with the necessary permissions to deploy and manage ROSA, and then use the IAM user’s access key and secret access key to authenticate your ROSA deployment.
- AWS STS (Security Token Service): When deploying a ROSA (Red Hat OpenShift Service on AWS) cluster, you can use AWS STS (Security Token Service) to generate temporary AWS access credentials for the OpenShift cluster. This service allows cluster components to make AWS API requests using secure cloud resource management practices. To create the IAM role and policy as well as identity provider resources for ROSA clusters using STS, you can use the rose CLI. The rose CLI manages STS credentials for specific tasks and takes actions on AWS resources as part OpenShift functionality.
You can use the auto mode to create rosa cluster with STS. Firstly, create account roles.
rosa create account-roles --mode auto
Then create the rosa cluster with AWS STS.
rosa create cluster --cluster-name <cluster_name> --sts --mode auto
Finally, you can check the cluster status using the command below.
rosa describe cluster --cluster <cluster_name|cluster_id>
So, that was all about AWS STS (Security Token Service) that you must know. I hope you found this article helpful. Go ahead, use AWS STS, and generate temporary credentials to access AWS resources securely and with ease.
References
https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
https://www.hava.io/blog/what-is-aws-security-token-service-sts
https://intellipaat.com/blog/aws-security-token-service-sts/
https://acloudguru.com/forums/aws-certified-security-specialty/sts-vs-cognito-gy