Skip to content
Start Assessment
SEC02

SEC02-BP02 - Use temporary credentials

Implementation guidance

Temporary credentials provide enhanced security compared to long-term credentials because they have a limited lifetime and don’t need to be stored or managed by the user. By implementing temporary credentials, you can reduce the risk of unauthorized access due to compromised credentials and simplify credential management.

Key steps for implementing this best practice:

  1. Implement IAM roles for human access:

    • Use AWS IAM Identity Center for workforce identities
    • Configure federation with your existing identity provider
    • Set up IAM roles with appropriate permissions
    • Define appropriate session durations
    • Implement role-based access control (RBAC)

  2. Implement IAM roles for machine access:

    • Use IAM roles for EC2 instances
    • Implement service-linked roles for AWS services
    • Use IAM roles for tasks and containers
    • Configure appropriate trust relationships
    • Apply the principle of least privilege

  3. Implement IAM roles for cross-account access:

    • Define roles for cross-account access
    • Configure appropriate trust relationships
    • Use external IDs for third-party access
    • Implement appropriate permission boundaries
    • Monitor cross-account role usage

  4. Phase out long-term credentials:

    • Identify and inventory all long-term credentials
    • Create a migration plan to temporary credentials
    • Implement monitoring for long-term credential usage
    • Establish policies prohibiting new long-term credentials
    • Regularly audit and remove unused long-term credentials

  5. Implement credential monitoring and rotation:

    • Monitor credential usage with AWS CloudTrail
    • Set up alerts for suspicious credential usage
    • Implement automated credential rotation where long-term credentials are necessary
    • Use AWS Secrets Manager for managing any required secrets
    • Regularly audit credential usage

  6. Educate users and developers:

    • Train users on how to use temporary credentials
    • Provide developers with examples and tools for implementing temporary credentials
    • Document best practices for different use cases
    • Create clear procedures for exceptional cases
    • Regularly review and update guidance

Implementation examples

Example 1: Assuming an IAM role using the AWS CLI

View code
# Assume a role and get temporary credentials
aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/MyRole \
  --role-session-name MySession

# Configure AWS CLI to use temporary credentials
aws configure set aws_access_key_id ASIA1234567890EXAMPLE
aws configure set aws_secret_access_key 9drTJvcXLB89EXAMPLEKEY
aws configure set aws_session_token AQoEXAMPLEH4aoAH0gNCAPy...truncated

Example 2: IAM role for EC2 instance

View code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}
View code
# Attach the role to an EC2 instance
aws ec2 associate-iam-instance-profile \
  --instance-id i-1234567890abcdef0 \
  --iam-instance-profile Name=MyInstanceProfile

Example 3: Cross-account role with external ID

View code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "UniqueExternalId123"
        }
      }
    }
  ]
}
View code
# Assume a cross-account role with external ID
aws sts assume-role \
  --role-arn arn:aws:iam::987654321098:role/CrossAccountRole \
  --role-session-name CrossAccountSession \
  --external-id UniqueExternalId123

AWS services to consider

AWS IAM Identity Center

Helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. Provides temporary credentials for AWS account access.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. Supports IAM roles for temporary credentials and federation with external identity providers.

AWS Security Token Service (STS)

Enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users). Provides APIs for assuming roles and federating identities.

AWS Secrets Manager

Helps you protect secrets needed to access your applications, services, and IT resources. Enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor credential usage and detect unauthorized access attempts.

Benefits of using temporary credentials

  • Enhanced security: Temporary credentials have a limited lifetime, reducing the risk of credential compromise
  • Simplified management: No need to store, rotate, or manage long-term credentials
  • Automatic expiration: Credentials automatically expire after a defined period
  • Dynamic permissions: Permissions can be dynamically assigned based on context
  • Reduced attack surface: Eliminates the risk of long-term credential exposure
  • Improved auditability: Easier to track and audit credential usage
  • Centralized control: Manage access from a central location

Related Resources

Back to SEC02