Use temporary credentials

PostedNovember 27, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Managing identities in AWS requires careful strategies to retain security without impairing accessibility. Using temporary credentials is crucial in minimizing risks associated with long-term credentials, which can be inadvertently disclosed or stolen, thereby protecting your AWS resources effectively.

Best Practices

Utilize AWS Security Token Service (STS)

Use AWS STS to obtain temporary security credentials for users and applications. This minimizes the risk of long-term credential exposure.
Configure STS to allow for role-based access, where applications assume roles that grant the necessary permissions. This limits access to only what is needed.
Implement session duration policies to specify how long temporary credentials remain valid, aligning with your security requirements.

Implement IAM Roles for EC2 and Lambda

Assign IAM roles to your Amazon EC2 instances and AWS Lambda functions to allow them to interact with AWS services securely.
Ensure roles are scoped to the least privilege necessary, granting only the permissions required for tasks.
Regularly review and update IAM roles to maintain security posture and accommodate changes in workload requirements.

Use Amazon Cognito for User Identity Management

Leverage Amazon Cognito to manage user identities and provide temporary credentials for web and mobile applications.
Integrate Cognito with external identity providers (like Google or Facebook) for federated authentication, enabling secure access without managing long-term credentials yourself.
Employ fine-grained access controls in Cognito to manage what resources each user can access based on their identity claims.

Audit and Monitor Temporary Credentials Usage

Enable AWS CloudTrail to log all API calls made using temporary credentials. This provides visibility into usage patterns and potential security incidents.
Set up Amazon CloudWatch alarms to notify you of unusual or unauthorized activities related to the usage of temporary credentials.
Regularly review access logs to ensure compliance with access policies and identify any potential anomalies.

Questions to ask your team

How are temporary credentials generated and managed for human identities?
What is the process for provisioning and de-provisioning temporary access for users?
How do you ensure that temporary credentials are automatically rotated?
What mechanisms are in place to monitor and audit the use of temporary credentials?
How do you enforce the use of temporary credentials for machine identities?
Are there policies that limit the permissions granted through temporary credentials?
What steps are in place for revoking temporary credentials if a security incident occurs?
How does your organization handle credential expiration for both human and machine identities?

Who should be doing this?

AWS Security Administrator

Manage and configure AWS Identity and Access Management (IAM) roles and policies.
Implement and oversee the use of temporary credentials across the AWS environment.
Audit the use of credentials and monitor for unauthorized access or usage.
Educate team members on the importance of using temporary credentials and secure credential management practices.

DevOps Engineer

Integrate temporary credential management into CI/CD pipelines.
Ensure that application interactions with AWS services utilize temporary credentials.
Regularly update automation scripts to support the use of IAM roles for obtaining temporary credentials.

Application Developer

Develop applications that leverage temporary credentials to securely access AWS resources.
Follow best practices for credential handling within the application code.
Conduct code reviews to ensure compliance with security policies regarding identity management.

Compliance Officer

Assess and enforce policies related to identity management and the use of temporary credentials.
Coordinate audits to ensure compliance with industry standards and regulatory requirements.
Work with various teams to ensure that identity management strategies align with organizational goals.

What evidence shows this is happening in your organization?

Temporary Credentials Policy: A security policy outlining the use of temporary credentials across the organization, including procedures for issuing, managing, and revoking temporary credentials for both human and machine identities.
Identity Management Checklist: A comprehensive checklist that ensures all identities, both human and machine, are using temporary credentials. This checklist includes steps for auditing existing credentials, transitioning to temporary credentials, and ongoing management.
Access Management Dashboard: An interactive dashboard that visualizes the status of identity management, highlighting the use of temporary credentials, active sessions, and expired credentials to ensure oversight and compliance.
AWS IAM Best Practices Guide: A guide detailing best practices for identity and access management in AWS, focusing on the importance of temporary credentials and strategies for implementing them securely and effectively.
Temporary Credentials Implementation Plan: A strategic plan that outlines the approach to migrate all identities to use temporary credentials, including timelines, responsible teams, and training resources.

Cloud Services

AWS

AWS Identity and Access Management (IAM): IAM allows you to securely control access to AWS services and resources for your users. It helps in managing both human and machine identities, providing temporary security credentials for these identities.
AWS Security Token Service (STS): AWS STS enables you to request temporary, limited-privilege credentials for AWS accounts or IAM users, helping to manage secure access for applications and users.
Amazon Cognito: Amazon Cognito provides user sign-up, sign-in, and access control, helping to manage human identities and granting temporary credentials to users accessing AWS resources.

Azure

Azure Active Directory (Azure AD): Azure AD is a cloud-based identity and access management service from Microsoft that provides secure access to resources, managing both user and machine identities.
Azure Managed Identity: Managed Identities for Azure resources provide Azure services with an automatically managed identity in Azure AD, allowing secure communication without storing credentials.

Google Cloud Platform

Cloud Identity: Cloud Identity is a unified identity and access management service that helps manage users and offers single sign-on (SSO) capabilities for Google services and third-party apps.
Google Cloud IAM: Google Cloud IAM enables you to manage access control for Google Cloud resources, allowing you to create roles and manage permissions, including support for service accounts with temporary credentials.

Question: How do you manage identities for people and machines?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals