The AWS Security Token Service is an Amazon Web Services (AWS) software tool that enables an IT administrator to grant trusted users temporary and limited access credentials to public cloud resources.
The AWS Security Token Service receives authentication from AWS Identity and Access Management (IAM) or a third-party service, such as Microsoft Active Directory, and generates short-term credentials for end users that are valid from minutes to hours. Once credentials expire, AWS won't grant access to API requests, but an end user can request new credentials prior to or upon expiration. The service dynamically generates credentials as needed.
An administrator can use the AWS Security Token Service to distribute temporary credentials with an expiration time. This ad hoc access removes the need for an admin to distribute long-term credentials that must be managed within AWS IAM.
An information technology (IT) team can use the AWS Security Token Service in conjunction with identity federation to approve a user through an on-premises or third-party identity management system. This enables an enterprise to authenticate a user in its network and grant AWS access with single sign-on. The service also supports Security Assertion Markup Language 2.0, allowing an administrator to integrate Microsoft Active Directory Federation Services to verify users within a directory.