Security Token Service, Temporary Security Credentials for AWS
It has been noted that AWS Security Token Service (STS) has now been activated by default to all AWS regions which previously was not the case. Security of applications and services is most important and this default service, pushed out to all regions, will aid in supporting the security battle organisations are challenged by daily.
To interact with AWS, AWS security credentials are required. The credentials verify identity and verify whether the user has permission to access the resources being requested. Thus security credentials are used to authenticate and authorise calls that are made to AWS.
The importance of AWS credential security should not be undervalued. The credentials are the keys to all your AWS resources and services and they must remain secure. It is necessary on occasions, for business function, that individuals who may not ordinarily need access to these credentials, to acquire access and this is often the case with regards to devops. In such circumstances (amongst others) the use of temporary credentials can be very useful and an effective way to limit risk and offer temporary access credentials with limited privileges over limited time.
AWS Security Token Service is a service for temporary security credentials for use with AWS applications and services. This AWS security best practice is effective for temporary access delegation to AWS resources and services and furthermore the recent global availability by default can also improve resiliency and reduce latency through the utilisation of the STS endpoint in closer proximity to you.
Identity and Access Management (IAM)
IAM, Identity and Access Management, enables the management of the AWS long-term credentials for IAM users, these include Passwords, Access Keys and Key pairs. Additionally, IAM enables the issuing of temporary credentials for the access to AWS resources which is useful for those times when temporary access is required, which is more often than not.
There are three steps involved in using STS:
- Choose to activate a region
- Retrieve temporary security credentials from STS
- Utilise the credentials to access AWS resources
Common use cases for STS
Temporary credentials are beneficial in situations that involve identity federation, delegation, cross-account access, and IAM roles and can be used to access most AWS services.
Use cases may include:
- Applications running on Amazon EC2 instances that require access to AWS resources
Applications that run on an Amazon EC2 instance may need access to the AWS resources and access credentials are necessary to achieve this. Temporary credential provisioning (STS) removes the challenge of credential distribution to enable these various functions and also removes the management and security qualms associated with it. The temporary credentials can be provided to the instances when launched.
- Access to multiple accounts (cross-account access)
For resource management in AWS you might use multiple AWS accounts, perhaps to isolate different departments. This does not mean that users from one account will only need the resources from that account but might occasionally need to access resources from another account that they ordinarily do not access. Instead of giving users multiple identities, an identity for each account they may need to access, it is simpler to manage credentials and more secure to use STS in these circumstances instead.
- Identity federation for non AWS users whose identities can be authenticated
Users may have identities exterior to AWS but may still need to work with AWS applications and resources and thus will require AWS credentials to do this. Temporary credentials make this simple to manage and achieve securely. The user identities can be managed in an external system outside of AWS and users can be allowed access to sign in from these external systems to access AWS resources and undertake AWS functions.
Benefits attributed to the use of STS
Many use cases exist for STS (some were deliberated above) moreover STS allows organisations to extend benefits beyond only ‘temporary credentials’ function. These temporary credentials enable organisations to improve their security posture and reduce security risk, both highly beneficial attributes as STS supports the principle of least privileges, a principle that is highly recommended to improve security no matter your environment, processes or compute infrastructure and services utilised.
Utilising AWS STS for all users can greatly improve security. The least privilege approach to security, whereby users are only given the minimum permissions that they require to be able to achieve their business tasks, is supported by STS. With STS, roles can be demarcated and only the permissions needed to carry out those roles permitted to users.
User access to AWS resources can be provided without the need to define an AWS identity for them and the temporary credentials form the basis for the roles and the identity federation.
A further benefit is the uniformity that STS encourages through the establishment of roles allowing multiple users, irrespective of source, to assume the same role and operate under the same granted permissions. Control and management has been made so much simpler. The ability to assume roles with precise permissions to only accomplish a specific task allows users who would ordinarily not undertake that role to assume the role when needed but permissions are limited to that role so users do not need to be given privileges across entire systems and thus reducing security risk. Thereby following the least privilege principle for improving security.
This benefits developers especially as they are often required to access numerous parts of the environment during the application development cycle.
The temporary credentials alleviate the requirement to manage, circulate or embed long-term AWS security credentials for applications.
The credentials have a limited validity and don’t require rotation or revocation as they will expire after the lifespan is reached (which can be chosen by the organisation) and furthermore the expired credentials are not reusable.
How does it work
AWS issues the credentials in one of two ways, either by providing a token from an Identity federation or providing credentials through an authenticated IAM user. subsequently AWS STS generates the temporary credentials following a request from a user to assume a role. The credentials can be set-up to last for up to an hour or less than an hour, as required (the default is set to an hour). The authentication of users before credentials are generated and used adds to the layered security. The role can be further secured through multi-factor authentication (MFA).
The temporary credentials are generated dynamically and provided when requested but they are never stored with the user.
Management and Monitoring
The availability of temporary credentials used with IAM roles relieves the challenge of having to manage long-term credentials and IAM users every time access to a resource is required. STS also supports reporting through AWS CLoudTrail so that the organisation remains aware of what requests are made to STS, by whom and when the request was initiated.
This feature is a powerful and versatile feature that is beneficial to many hosting applications on the AWS platform. The AWS STS service is a very useful service with numerous use cases and benefits for the organisation utilising it. The service supports security in depth. AWS STS is suggested as an AWS security best practice and when utilised as stipulated by AWS can be efficient at helping to manage access to and securing the very important AWS credentials. It is likely that this feature will become de facto for anyone hosting in AWS.