STS exposes APIs through its endpoint and AWS SDKs have the functions to create the programmatic access to STS. STS also supports AWS CloudTrail so you can log requests and information about the request. This log information is stored in an S3 bucket.
STS is enabling the SAML 2.0 federation. The client authentication flow is as follows:
Federation can also be used to allow external users to access services in the AWS account using Amazon Cognito. Cognito allows users to authenticate with third-party identity providers (like Amazon, Facebook, or Google), which exchange the token from the identity provider for a Cognito token. The Cognito token is then used to get the temporary credentials from the STS to access the resources in the AWS account.
STS plays a vital role, as it supports AWS CloudTrail, which helps in the audit process. We can track the successful and failed requests, origin, and details about the request. Hence, STS becomes the first priority for most teams when it comes to authenticating users.