STS (Security Token Service) can generate credentials with much finer-grained control than just access to a whole bucket. You can require user authentication, do rate limiting, and set expire times. To allow a client to upload an image, for example, you can generate credentials that only grant privileges to a specific file location. It's much better than embedding master IAM credentials in a client.
jbert|12 years ago
In terms of comparing the two approaches, I can see that if you are granting different creds based on a user auth, an STS is useful to grant temporary creds limited to a subset.
I'll need to look up the details of how much more fine-grained the STS tokens are than the IAM creds to see how much difference there is in the anonymous case.