Managing Amazon STS in an Amazon Region - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Managing Amazon STS in an Amazon Region

By default, the Amazon Security Token Service (Amazon STS) is available as a global service, and all Amazon STS requests go to a single endpoint at https://sts.amazonaws.com.cn. Amazon recommends using Regional Amazon STS endpoints instead of the global endpoint to reduce latency, build in redundancy, and increase session token validity.

  • Reduce latency – By making your Amazon STS calls to an endpoint that is geographically closer to your services and applications, you can access Amazon STS services with lower latency and better response times.

  • Build in redundancy – You can add code to your application that switches your Amazon STS API calls to a different Region. This ensures that if the first Region stops responding, your application continues to operate. This redundancy is not automatic; you must build the functionality into your code.

  • Increase session token validity – Session tokens from Regional Amazon STS endpoints are valid in all Amazon Regions. Session tokens from the global STS endpoint are valid only in Amazon Regions that are enabled by default. If you intend to enable a new Region for your account, you can use session tokens from Regional STS endpoints. If you choose to use the global endpoint, you must change the Region compatibility of STS session tokens for the global endpoint. Doing so ensures that tokens are valid in all Amazon Regions.

Managing global endpoint session tokens

Most Amazon Regions are enabled for operations in all Amazon services by default. Those Regions are automatically activated for use with Amazon STS. Some Regions, such as Asia Pacific (Hong Kong), must be manually enabled. To learn more about enabling and disabling Amazon Regions, see Managing Amazon Regions in the Amazon General Reference. When you enable these Amazon Regions, they are automatically activated for use with Amazon STS. You cannot activate the STS endpoint for a Region that is disabled. Tokens that are valid in all Amazon Regions include more characters than tokens that are valid in Regions that are enabled by default. Changing this setting might affect existing systems where you temporarily store tokens.

You can change this setting using the Amazon Web Services Management Console, Amazon CLI, or Amazon API.

To change the Region compatibility of session tokens for the global endpoint (console)

  1. Sign in as a root user or an IAM user with permissions to perform IAM administration tasks. To change the compatibility of session tokens, you must have a policy that allows the iam:SetSecurityTokenServicePreferences action.

  2. Open the IAM console. In the navigation pane, choose Account settings.

  3. If necessary, expand the Security Token Service (STS) section. In the first table next to Global endpoint, the Region compatibility of session tokens column indicates Valid only in AWS Regions enabled by default. Choose Change.

  4. In the Change region compatibility of session tokens for global endpoint dialog box, select Valid in all Amazon Regions. Then choose Save changes.

    Note

    Tokens that are valid in all Amazon Regions include more characters than tokens that are valid in Regions that are enabled by default. Changing this setting might affect existing systems where you temporarily store tokens.

To change the Region compatibility of session tokens for the global endpoint (Amazon CLI)

Set the security token version. Version 1 tokens are valid only in Amazon Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens include more characters and might affect systems where you temporarily store tokens.

To change the Region compatibility of session tokens for the global endpoint (Amazon API)

Set the security token version. Version 1 tokens are valid only in Amazon Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens include more characters and might affect systems where you temporarily store tokens.

Activating and deactivating Amazon STS in an Amazon Region

When you activate STS endpoints for a Region, Amazon STS can issue temporary credentials to users and roles in your account that make an Amazon STS request. Those credentials can then be used in any Region that is enabled by default or is manually enabled. You must activate the Region in the account where the temporary credentials are generated. It does not matter whether a user is signed into the same account or a different account when they make the request.

For example, imagine a user in account A wants to send an sts:AssumeRole API request to the STS Regional endpoint https://sts.us-west-2.amazonaws.com.cn. The request is for temporary credentials for the role named Developer in account B. Because the request is to create credentials for an entity in account B, account B must activate the us-west-2 Region. Users from account A (or any other account) can call the us-west-2 endpoint to request credentials for account B whether or not the Region is activated in their accounts.

Note

Active Regions are available to everyone that uses temporary credentials in that account. To control which IAM users or roles can access the Region, use the aws:RequestedRegion condition key in your permissions policies.

To activate or deactivate Amazon STS in a Region that is enabled by default (console)

  1. Sign in as a root user or an IAM user with permissions to perform IAM administration tasks.

  2. Open the IAM console and in the navigation pane choose Account settings.

  3. If necessary, expand Security Token Service (STS), find the Region that you want to activate, and then choose Activate or Deactivate. For Regions that must be enabled, we activate STS automatically when you enable the Region. After you enable a Region, Amazon STS is always active for the Region and you cannot deactivate it. To learn how to enable a Region, see Managing Amazon Regions in the Amazon General Reference.

Writing code to use Amazon STS regions

After you activate a Region, you can direct Amazon STS API calls to that Region. The following Java code snippet demonstrates how to configure an AWSSecurityTokenService object to make requests to the Europe (Ireland) (eu-west-1) Region.

EndpointConfiguration regionEndpointConfig = new EndpointConfiguration("https://sts.eu-west-1.amazonaws.com", "eu-west-1"); AWSSecurityTokenService stsRegionalClient = AWSSecurityTokenServiceClientBuilder.standard() .withCredentials(credentials) .withEndpointConfiguration(regionEndpointConfig) .build();

Amazon STS recommends that you make calls to a Regional endpoint. To learn how to manually enable a Region, see Managing Amazon Regions in the Amazon General Reference.

In the example, the first line instantiates an EndpointConfiguration object called regionEndpointConfig, passing the URL of the endpoint and the Region as the parameters.

For all other language and programming environment combinations, refer to the documentation for the relevant SDK.

Regions and endpoints

The following table lists the Regions and their endpoints. It indicates which ones are activated by default and which ones you can activate or deactivate.

Region name Endpoint Active by default Manually activate/deactivate
--Global-- sts.amazonaws.com.cn Yes No
US East (Ohio) sts.us-east-2.amazonaws.com Yes Yes
US East (N. Virginia) sts.us-east-1.amazonaws.com Yes No
US West (N. California) sts.us-west-1.amazonaws.com Yes Yes
US West (Oregon) sts.us-west-2.amazonaws.com Yes Yes
Africa (Cape Town) sts.af-south-1.amazonaws.com No¹ No
Asia Pacific (Hong Kong) sts.ap-east-1.amazonaws.com No¹ No
Asia Pacific (Mumbai) sts.ap-south-1.amazonaws.com Yes Yes
Asia Pacific (Osaka) sts.ap-northeast-3.amazonaws.com Yes Yes
Asia Pacific (Seoul) sts.ap-northeast-2.amazonaws.com Yes Yes
Asia Pacific (Singapore) sts.ap-southeast-1.amazonaws.com Yes Yes
Asia Pacific (Sydney) sts.ap-southeast-2.amazonaws.com Yes Yes
Asia Pacific (Tokyo) sts.ap-northeast-1.amazonaws.com Yes Yes
Canada (Central) sts.ca-central-1.amazonaws.com Yes Yes
Europe (Frankfurt) sts.eu-central-1.amazonaws.com Yes Yes
Europe (Ireland) sts.eu-west-1.amazonaws.com Yes Yes
Europe (London) sts.eu-west-2.amazonaws.com Yes Yes
Europe (Milan) sts.eu-south-1.amazonaws.com No¹ No
Europe (Paris) sts.eu-west-3.amazonaws.com Yes Yes
Europe (Stockholm) sts.eu-north-1.amazonaws.com Yes Yes
Middle East (Bahrain) sts.me-south-1.amazonaws.com No¹ No
South America (São Paulo) sts.sa-east-1.amazonaws.com Yes Yes

¹You must enable the Region to use it. This automatically activates STS. You cannot manually activate or deactivate STS in these Regions.

Amazon CloudTrail and Regional endpoints

Calls to Regional endpoints, such as us-west-2.amazonaws.com.cn, are logged in Amazon CloudTrail the same as any call to a Regional service. Calls to the global endpoint, sts.amazonaws.com.cn, are logged as calls to a global service. For more information, see Logging IAM and Amazon STS API calls with Amazon CloudTrail.