SEC02-BP02: Use temporary credentials

Require identities to dynamically acquire temporary credentials. For workforce identities, use AWS IAM Identity Center, or a federation with IAM roles to access AWS accounts. For machine identities, require the use of IAM roles instead of IAM users with long-term access keys.

Implementation guidance

Temporary credentials provide enhanced security compared to long-term credentials because they have a limited lifetime and don’t need to be stored or managed by the user. By implementing temporary credentials, you can reduce the risk of unauthorized access due to compromised credentials and simplify credential management.

Key steps for implementing this best practice:

  1. Implement IAM roles for human access:
    • Use AWS IAM Identity Center for workforce identities
    • Configure federation with your existing identity provider
    • Set up IAM roles with appropriate permissions
    • Define appropriate session durations
    • Implement role-based access control (RBAC)
  2. Implement IAM roles for machine access:
    • Use IAM roles for EC2 instances
    • Implement service-linked roles for AWS services
    • Use IAM roles for tasks and containers
    • Configure appropriate trust relationships
    • Apply the principle of least privilege
  3. Implement IAM roles for cross-account access:
    • Define roles for cross-account access
    • Configure appropriate trust relationships
    • Use external IDs for third-party access
    • Implement appropriate permission boundaries
    • Monitor cross-account role usage
  4. Phase out long-term credentials:
    • Identify and inventory all long-term credentials
    • Create a migration plan to temporary credentials
    • Implement monitoring for long-term credential usage
    • Establish policies prohibiting new long-term credentials
    • Regularly audit and remove unused long-term credentials
  5. Implement credential monitoring and rotation:
    • Monitor credential usage with AWS CloudTrail
    • Set up alerts for suspicious credential usage
    • Implement automated credential rotation where long-term credentials are necessary
    • Use AWS Secrets Manager for managing any required secrets
    • Regularly audit credential usage
  6. Educate users and developers:
    • Train users on how to use temporary credentials
    • Provide developers with examples and tools for implementing temporary credentials
    • Document best practices for different use cases
    • Create clear procedures for exceptional cases
    • Regularly review and update guidance

Implementation examples

Example 1: Assuming an IAM role using the AWS CLI

Example 2: IAM role for EC2 instance

Example 3: Cross-account role with external ID

AWS services to consider

AWS IAM Identity Center

Helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. Provides temporary credentials for AWS account access.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. Supports IAM roles for temporary credentials and federation with external identity providers.

AWS Security Token Service (STS)

Enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users). Provides APIs for assuming roles and federating identities.

AWS Secrets Manager

Helps you protect secrets needed to access your applications, services, and IT resources. Enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor credential usage and detect unauthorized access attempts.

Benefits of using temporary credentials

  • Enhanced security: Temporary credentials have a limited lifetime, reducing the risk of credential compromise
  • Simplified management: No need to store, rotate, or manage long-term credentials
  • Automatic expiration: Credentials automatically expire after a defined period
  • Dynamic permissions: Permissions can be dynamically assigned based on context
  • Reduced attack surface: Eliminates the risk of long-term credential exposure
  • Improved auditability: Easier to track and audit credential usage
  • Centralized control: Manage access from a central location

Related Resources

Copyright © 2025 Cloudvisor. Distributed under the MIT license.

Powered by Just the Docs, a documentation theme for Jekyll.