AWS STS Migration: Your Guide to Smoother, Faster Security Token Service

Harshwardhan ChoudharyHarshwardhan Choudhary
3 min read

Table of contents

Big news from AWS dropped today (February 3, 2025), and it's all about making your security token service experience better than ever. Grab your favorite beverage, and let's dive into what's changing with AWS STS and why you should care!

The TL;DR (Too Long; Didn't Read)

AWS is giving its Security Token Service (STS) a major upgrade! Instead of all your requests taking a detour through US East (N. Virginia), they'll soon be handled right in your local region. Think of it as opening a new coffee shop in your neighborhood instead of driving across town for your daily caffeine fix! β˜•

What's Actually Changing?

Remember how every time you needed temporary credentials from sts.amazonaws.com, your request had to travel all the way to US East (N. Virginia)? Well, AWS has decided it's time for a change. Starting in early 2025, your requests will be handled locally in your region, just like getting your favorite local takeout instead of ordering from across the country! πŸš€

Here's what it looks like:

  • Before: Your request from US West (Oregon) took a cross-country trip to Virginia.

  • After: Your request is handled right there in Oregon, faster than you can say "temporary credentials"!

But wait, there's a catch! Some regions will still need to follow the old rules:

  • Opt-in regions (like Asia Pacific [Hong Kong])

  • Requests coming from outside AWS (like your on-premises data center)

  • Requests that aren't using Amazon's DNS servers in your VPC

Why Should You Care?

Let's break down the good stuff:

  1. Speed Boost πŸƒβ€β™€οΈ: Your applications will get their security credentials faster than ever

  2. Better Reliability πŸ›‘οΈ: No more depending on a single region - if Virginia has a bad day, you're still good to go

  3. Compliance Happy πŸ“‹: Your data stays more local, making those compliance folks smile

Your Action Plan: Making the Switch

Step 1: Find Those Global Endpoint Users

Time to play detective! Here's how to spot applications still using the global endpoint:

  • Check your CloudTrail logs for calls to sts.amazonaws.com

  • Look for "endpointType: global" (they're the ones we're after!)

Step 2: Time for an Upgrade

Now comes the fun partβ€”updating your applications to use regional endpoints! Instead of using sts.amazonaws.com, you'll switch to region-specific endpoints like:

It's like updating your GPS to find the nearest store instead of always routing through New York!

Step 3: Test, Test, Test!

Before making changes everywhere:

  • Use the new endpoints in your test environment.

  • Monitor performance metrics closely.

  • Ensure everything runs smoothly.

Step 4: Spread the Word

Get your team on board:

  • Share the good news about faster credential access

  • Update your documentation

Pro Tips and Tricks

Logging Changes

CloudTrail is gaining some new features:

  • New fields: endpointType and awsServingRegion

  • The aws:RequestedRegion will continue to show us-east-1 for sts.amazonaws.com (for those of you working with automation)

Quota Management

Remember that global and regional endpoints have separate quotas, similar to having different budgets for different stores!

The Road Ahead

AWS is gradually rolling this out across regions by mid-2025, starting with Europe (Stockholm). It's like a world tour, but for cloud services! 🌍

Wrapping Up

This is a significant advancement for AWS STS users worldwide. By switching to regional endpoints now, you're not only preparing for the future but also improving performance and reliability today.

Remember, the cloud is all about evolving, and this change is just another step in enhancing your AWS experience. Stay curious, keep learning, and make sure to test those changes before deploying to production!

Have questions, thoughts, or stories about global endpoints? Share them in the comments below! πŸ’­

P.S. While no immediate action is required, being proactive about these changes will make your future self (and your applications) much happier! 😊

0
Subscribe to my newsletter

Read articles from Harshwardhan Choudhary directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSAws stsendpoint securityAWS CloudTrail

Written by

Harshwardhan Choudhary
Harshwardhan Choudhary

Passionate cloud architect specializing in AWS serverless architectures and infrastructure as code. I help organizations build and scale their cloud infrastructure using modern DevOps practices. With expertise in AWS Lambda, Terraform, and data engineering, I focus on creating efficient, cost-effective solutions. Currently based in the Netherlands, working on projects that push the boundaries of cloud computing and automation.