Skip to main content

AWS Security Token Service (STS)

Status: Scaffold — content in progress

STS issues temporary security credentials (access key + secret + session token) for role assumption. It is the core of the AWS identity architecture.

Key STS Operations

OperationUse CaseAttack
AssumeRoleAssume a role in same or different accountRole chaining privilege escalation
AssumeRoleWithSAMLSAML federationGolden SAML → forge SAML assertion
AssumeRoleWithWebIdentityOIDC federation (EKS, GitHub Actions)OIDC token forgery
GetSessionTokenMFA-protected sessions
GetFederationTokenLegacy federation

IMDS v1 / v2 and Token Theft

Instance Metadata Service (IMDS) at 169.254.169.254 returns temporary credentials for the EC2 instance's IAM role.

  • IMDSv1: No authentication — any HTTP request from instance gets credentials (SSRF risk)
  • IMDSv2: Requires PUT request first (session token) — mitigates SSRF

SSRF → IMDS → http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> → stolen credentials

TopicLink
AWS IAM Overviewaws-iam-overview