What values does Amazon Security Token Service add?

Question

I am reading the AWS STS page describing how AWS STS can help avoid saving AWS credentials in app, and the way it ends up - seems to me - is that it solves the problem by having a TVM IAM account, but unfortunately leaves the problem 'storing TVM IAM credentials' without any answer.

Here is the page on 'Authenticating Users of AWS Mobile Applications with a Token Vending Machine': http://aws.amazon.com/articles/4611615499399490

On top of that I am really not sure how STS addresses and helps with these concerns:
1) Where does one store the TVM IAM account credentials other then in the app?

2) If I can steal the TVM IAM, how is STS more secure than having a restricted IAM account to the specific service in the first place?

3) If I change the TVM IAM account credentials for security reasons, how does STS prevent me from having to redeploy the app again?

I'm really confused as to adding a token layer really helps not putting credentials in the app or even add value to the existing IAM system. I must be missing something obviously.

Any help, plz?
J

Answer 1

The AWS keys are stored on the vending machine server, not in your client app. The client app thus only stores a temporary credential, requested from the TVM server, which is valid for a set amount of time. If you change the account credentials, clients only need request a new token from the TVM; no client app redeployment is necessary.