AssumeRole and the Session Lifetime

The AssumeRole operation lets a principal temporarily exchange its own identity for a role's permissions. The result is a time-bounded session. Controlling how long that session lasts, and how its permissions are scoped, is a frequent SCS-C02 topic because session lifetime directly affects security exposure.

After AssumeRole succeeds, the caller operates as an assumed-role session, identified by an ARN like arn:aws:sts::ACCOUNT:assumed-role/RoleName/SessionName. For the duration, the caller has the role's permissions and not their original ones. The session name you pass is preserved for auditing.