What values does Amazon Security Token Service add?
-
12-12-2019 - |
Question
I am reading the AWS STS page describing how AWS STS can help avoid saving AWS credentials in app, and the way it ends up - seems to me - is that it solves the problem by having a TVM IAM account, but unfortunately leaves the problem 'storing TVM IAM credentials' without any answer.
Here is the page on 'Authenticating Users of AWS Mobile Applications with a Token Vending Machine': http://aws.amazon.com/articles/4611615499399490
On top of that I am really not sure how STS addresses and helps with these concerns:
1) Where does one store the TVM IAM account credentials other then in the app?
2) If I can steal the TVM IAM, how is STS more secure than having a restricted IAM account to the specific service in the first place?
3) If I change the TVM IAM account credentials for security reasons, how does STS prevent me from having to redeploy the app again?
I'm really confused as to adding a token layer really helps not putting credentials in the app or even add value to the existing IAM system. I must be missing something obviously.
Any help, plz?
J
Solution
The AWS keys are stored on the vending machine server, not in your client app. The client app thus only stores a temporary credential, requested from the TVM server, which is valid for a set amount of time. If you change the account credentials, clients only need request a new token from the TVM; no client app redeployment is necessary.