STS

Allows to assume roles across different accounts or same accounts
Generates temporary credentials (sts:AssumeRole*)
Temporary credentials are similar to access key. They expire and they don't directly belong to the identity which assumes the role
Temporary credentials usually provide limited access
Temporary credentials are requested by another identity (AWS or external - identity federation)
Temporary credentials include the following:
- AccessKeyId: unique ID of the credentials
- Expiration: date and time of credential expiration
- SecretAccessKey: used to sign the requests to AWS
- SessionToken: unique token which must be passed with all the requests to AWS
STS allows us to enable identity federation

Assume a Role with STS

Define an IAM role within an account or cross-account
Define which principals can access the IAM role
Use the AWS STS (Secure Token Service) to retrieve the IAM role we have access to (AssumeRole API)
Temporary credentials can be valid between 15 minutes to 1 hour

Trust policy: specifies who can assume a role
Roles can be assumed by many identities
Everybody who assumes a role, gets the same set of permissions
Temporary credentials can not be cancelled, they are valid until they expire
Temporary credentials can last for longer time
In case of a credential leak if we change the permissions for the policy, we will affect all legitimate users - not a good idea for revoking access
Solution:
- Revoke all existing sessions, by applying an AWSRevokeOlderSessions inline policy to the role. This will apply to all existing sessions, sessions created afterwards will not be affected
- We can not manually revoke credentials!