AWS Security Blog

AWS Security Token Service Is Now Available in Every AWS Region

AWS Security Token Service (STS), which enables your applications to request temporary security credentials, is now available in every AWS region. Previously, STS had only a single endpoint (https://sts.amazonaws.com), but now, there is an endpoint in every AWS region. By bringing STS to a region geographically closer to you, your applications and services can call it with reduced latencies and take advantage of the multiregional resiliency provided by the new regional endpoints. You can see the complete list of STS endpoints for all regions on the Regions and Endpoints page. 

Activating STS in a region

To take advantage of one of the new regional STS endpoints, you need to first activate that endpoint for use with your AWS account. This allows you to control the regions in which your applications can request temporary security credentials. On the Account Settings page (formerly the Password Policy page) in the AWS Identity and Access Management (IAM) console, you can activate a regional STS endpoint, see the regions in which STS is currently active for your account, and activate or deactivate STS in a particular region. Only an account administrator (a user with at least iam:* permissions) can activate or deactivate STS regions. For backward compatibility, the STS endpoints in the US East, AWS GovCloud (US), and China (Beijing) regions are always active and cannot be deactivated.

The following image shows the new user interface for managing STS regions.

Image of new user interface for managing AWS STS regions

Using STS in a region after activation

After you have activated STS in a region, you must also modify your code to take advantage of your desired region. The following Java code demonstrates how to update the STS client to use the eu-west-1 endpoint:

AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient();
stsClient.setEndpoint("sts.eu-west-1.amazonaws.com");

Note: Do not use the setRegion method to set a regional endpoint because, for backward compatibility, that method continues to use the single global endpoint (http://sts.amazonaws.com).

After applying this code, calling STS to request temporary security credentials uses exactly the same process as before. The credentials retrieved from one regional endpoint can be used to access AWS resources in a different region, except for AWS GovCloud (US) and China (Beijing). Credentials from AWS GovCloud (US) and China (Beijing) can be used only in the region from which they originated.

Turn on AWS CloudTrail in the AWS regions where you use STS

All API calls that are made to the global STS endpoint (https://sts.amazonaws.com) will continue to be delivered per your Include Global Services CloudTrail setting in the regions in which you turned on CloudTrail. However, if you want to receive a history of STS API activity in another region, you must also enable CloudTrail in that region. All API calls made to region-specific endpoints such as https://sts.us-east-1.amazonaws.com and https://sts.us-west-2.amazonaws.com will be delivered to the Amazon S3 bucket you specified in CloudTrail in the US East and US West regions. For more details, see the CloudTrail documentation.

As always, if you have any questions or suggestions, post them on the IAM forum.

– Srikanth