Cyber Intelligence
Identity and Access Management · 16% of exam

L2. Federation & Cross-Account Access: STS, SAML/OIDC & AssumeRole

Video generating

Check back soon for the video lesson on Federation & Cross-Account Access: STS, SAML/OIDC & AssumeRole

How AWS STS, SAML federation, OIDC federation, and IAM Identity Center replace long-lived credentials with temporary, auditable access across accounts and identity providers.

Why Temporary Credentials Exist

AWS Security Token Service (STS) issues short-lived credentials so that identities don't need to carry long-lived IAM user access keys around. Temporary credentials expire on their own, which shrinks the blast radius if they are ever leaked, and they eliminate the need to rotate secrets manually. The exam expects you to recognize STS as the mechanism underneath almost every federation and cross-account access pattern.

The Three Core STS APIs

  • AssumeRole: used when an existing IAM principal, in the same account or a different one, needs to take on the permissions of an IAM role. This is the backbone of cross-account access.
  • AssumeRoleWithSAML: used for enterprise SSO federation, where a corporate identity provider (such as Active Directory Federation Services) issues a SAML 2.0 assertion that AWS trusts.
  • AssumeRoleWithWebIdentity: used for OIDC federation, where an external identity provider issues a JSON Web Token. Common examples include Amazon Cognito for mobile and web apps, and CI/CD systems like GitHub Actions authenticating to AWS without ever storing a long-lived access key.

Two Policies, Two Gatekeepers

Every IAM role has two distinct policies that must both cooperate:

  1. A trust policy, which defines who is allowed to assume the role.
  2. A permissions policy, which defines what the role can do once assumed.

For an assumption to succeed, the caller needs sts:AssumeRole permission in their own identity-based policy, and the role's trust policy must explicitly list that caller's principal. Missing either side causes the assumption to fail. This dual-gatekeeper design is a frequent exam scenario.

Preventing the Confused Deputy Problem

When a trust policy grants a third party (like a SaaS vendor or auditor) the ability to assume a role in your account, always add an sts:ExternalId condition. Without it, an attacker who convinces the third party to act on their behalf (using the third party's own legitimate, valid permissions) could trick that party into assuming your role and acting maliciously. The ExternalId is a shared secret between you and the third party that closes this gap.

Centralizing Human Access

For human users across a large AWS Organization, hand-rolling per-account IAM roles doesn't scale. IAM Identity Center (formerly AWS SSO) centralizes federated access using permission sets, which are templates of permissions assigned to users or groups across many accounts from a single place. This is the recommended approach for workforce access at scale, versus building custom SAML federation into every individual account.

Federation typeSTS APITypical use case
Enterprise SSO (SAML 2.0)AssumeRoleWithSAMLCorporate AD/ADFS login to AWS Console
OIDCAssumeRoleWithWebIdentityCognito apps, GitHub Actions CI/CD
Cross-account IAMAssumeRoleAuditors, vendors, multi-account workloads
Workforce at scaleIAM Identity CenterCentralized permission sets across an Organization
Exam tip: Role session duration is configurable per role, up to a maximum of 12 hours by default. This is why STS-based access is consistently favored over long-lived IAM user access keys for anything beyond a legacy workload that truly cannot use roles.

Exam Focus Points
  • AssumeRole issues temporary STS credentials; the caller needs sts:AssumeRole permission AND the target role's trust policy must allow the caller's principal
  • Cross-account trust policies granted to a third party should include an ExternalId condition to prevent the confused deputy problem
  • AssumeRoleWithSAML supports enterprise SSO federation into AWS; AssumeRoleWithWebIdentity supports OIDC providers such as Cognito or CI/CD systems, both avoiding long-lived IAM user credentials
  • IAM Identity Center (formerly AWS SSO) centralizes federated human access across an AWS Organization using permission sets instead of per-account IAM roles
  • Temporary STS credentials expire (configurable max session duration, capped at 12 hours by default), which shrinks the blast radius of a leaked credential compared to a long-lived access key
Knowledge Check

1. A vendor needs to assume a role in your AWS account to perform monthly billing audits. What should you add to the role's trust policy to prevent the confused deputy problem?

2. Your company wants developers to authenticate to the AWS Console using their existing corporate Active Directory credentials via SAML 2.0. Which STS API enables this?

3. A user has sts:AssumeRole permission in their identity-based policy for RoleX, but RoleX's trust policy does not list that user's account as a trusted principal. What happens when the user tries to assume RoleX?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.

Start Security Specialty prep free10-day free trial available