{"slug":"iam-aws-sts","cloud":"aws","service":"sts","title":"AWS STS (IAM)","description":"AWS Security Token Service (STS) grants temporary, limited-privilege credentials for IAM users or federated users.","category":"security","common_permissions":["sts:GetCallerIdentity","sts:GetSessionToken","sts:GetFederationToken","sts:GetWebIdentityToken","sts:GetAccessKeyInfo","sts:GetServiceBearerToken","sts:TagSession","sts:GetDelegatedAccessToken"],"least_privilege_example":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"sts:GetCallerIdentity\",\n        \"sts:GetSessionToken\",\n        \"sts:GetFederationToken\",\n        \"sts:GetWebIdentityToken\",\n        \"sts:GetAccessKeyInfo\",\n        \"sts:GetServiceBearerToken\",\n        \"sts:TagSession\",\n        \"sts:GetDelegatedAccessToken\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}","warnings":["Avoid sts:* — grants full control including token generation that can bypass MFA.","Avoid sts:GetFederationToken without conditions — can create long-lived credentials."],"docs":"https://servicereference.us-east-1.amazonaws.com/v1/sts/sts.json","tags":["iam","aws"],"last_verified":"2026-06-14T00:00:00.000Z","next_check":"2026-12-11T00:00:00.000Z","created_at":"2026-06-14T04:48:32.466Z","updated_at":"2026-06-14T04:48:32.466Z"}