Allows to grant limited and temporary access to AWS resource (up to 1 hour)
AssumeRole: Assume roles within your account or cross account
GetSessionToken: for MFA, from a user or AWS account root user
DecodeAuthorizationMessage: decode error message when an AWS API is denied
AssumeRoleWithSAML: return credentials for users logged with SAML
GetRederationToken: obtaini temporary creds for a federated user
GetCallerIdentity: return details about the IAM user or role userd in the API called
User GetSessionToken from STS
Appropriate IAM policy using IAM conditions
aws:MultiFactorAuthPresent: true
Reminder, GetSessionToken
return:
AccessID
Secrect Key
SessionToken
Expiration date
IAM Policies are attached to user, roles, groups
S3 Bukcet Policies are attached to bucekts
When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM policeis and S3 bucket policies will be evaluated
