How STS Issues Temporary Credentials

The Security Token Service (STS) is the AWS service that issues temporary security credentials. Every time a role is assumed or an identity is federated, STS hands out short-lived credentials instead of permanent keys. Understanding STS is central to the exam because temporary credentials underpin nearly all secure access patterns on AWS.

STS credentials consist of three parts: an access key ID, a secret access key, and a session token. The session token is what distinguishes them from long-term keys; it must accompany every signed request. All three expire together after a defined lifetime, making the credentials self-limiting.