I think you’re talking about something different. AWS session tokens let you use your SSO to request session tokens that have a short expiry. So you can do API/console actions but if an attacker takes the creds, they expire. It also lets you generate session tokens that only have the subset of your allowed perms that you need for that workflow.
Yea. Like, I’m 100% on board with the idea that AWS IAM is full of footguns, is overcomplicated, and is hard to get right (I assume other cloud platforms are similar, but my expertise is largely specific to AWS).
But also it’s a complex and very important problem space.
I think you’re talking about something different. AWS session tokens let you use your SSO to request session tokens that have a short expiry. So you can do API/console actions but if an attacker takes the creds, they expire. It also lets you generate session tokens that only have the subset of your allowed perms that you need for that workflow.