AWS Security ChangesHomeSearch

AWS amazonq high security documentation change

Service: amazonq · 2025-04-18 · Security-related high

File: amazonq/latest/qdeveloper-ug/gitlab-concepts.md

Summary

Updated terminology from 'OpenID Connect (OIDC)' to 'identity provider', removed preview notice, adjusted GitLab version requirement, modified policy documentation to reference managed policies instead of inline policies, and corrected OIDC audience claim syntax

Security assessment

The change to OIDC audience claim syntax (adding ':aud' suffix) appears to address a potential misconfiguration in token validation. This correction helps ensure proper audience validation in OIDC flows, which is critical for security. The documentation now also explicitly references security features like KMS key management and IAM role configuration.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/gitlab-concepts.md b/amazonq/latest/qdeveloper-ug/gitlab-concepts.md
index cf16bc8ff..8cb2988be 100644
--- a//amazonq/latest/qdeveloper-ug/gitlab-concepts.md
+++ b//amazonq/latest/qdeveloper-ug/gitlab-concepts.md
@@ -5 +5 @@
-Configuring GitLab Duo with Amazon QOnboarding with AWS OpenID Connect (OIDC) and IAM role creationGitLab quick actions
+Configuring GitLab Duo with Amazon QOnboarding with AWS identity provider and IAM role creationGitLab quick actions
@@ -9,4 +8,0 @@ Configuring GitLab Duo with Amazon QOnboarding with AWS OpenID Connect (OIDC) an
-###### Note
-
-GitLab Duo with Amazon Q is in preview release and is subject to change.
-
@@ -19 +15 @@ Here are some concepts and terms to know when using [GitLab Duo with Amazon Q](h
-  * Onboarding with AWS OpenID Connect (OIDC) and IAM role creation
+  * Onboarding with AWS identity provider and IAM role creation
@@ -30 +26 @@ Before you can use Amazon Q artificial intelligence (AI) capabilities in GitLab,
-  * Have a [self-managed instance](https://docs.gitlab.com/ee/subscriptions/self_managed/) with [GitLab 17.18](https://docs.gitlab.com/update/versions/gitlab_17_changes/#1780) or later.
+  * Have a [self-managed instance](https://docs.gitlab.com/ee/subscriptions/self_managed/) with [GitLab 17.8.0](https://docs.gitlab.com/update/versions/gitlab_17_changes/#1780) or later.
@@ -32 +28 @@ Before you can use Amazon Q artificial intelligence (AI) capabilities in GitLab,
-  * Have a [GitLab Ultimate subscription with Amazon Q subscription](https://about.gitlab.com/pricing/ultimate/) (no trial access).
+  * Have a [GitLab Ultimate subscription with Amazon Q](https://about.gitlab.com/pricing/ultimate/) (no trial access).
@@ -43 +39 @@ Before you can use Amazon Q artificial intelligence (AI) capabilities in GitLab,
-## Onboarding with AWS OpenID Connect (OIDC) and IAM role creation
+## Onboarding with AWS identity provider and IAM role creation
@@ -45 +41 @@ Before you can use Amazon Q artificial intelligence (AI) capabilities in GitLab,
-As part of the GitLab Duo onboarding process, you need to create an Amazon Q Developer profile through the [Amazon Q Developer console](https://console.aws.amazon.com/amazonq/developer/home). The profile allows you to create customization and control settings for all or a subset of users in your identity provider. Once the profile Amazon Q Developer profile is created, either add a GitLab OpenID Connect (OIDC) identity provider or use a current GitLab OIDC provider. The OIDC identity provider, as well as an IAM service role, is required to establish trust between GitLab Duo and your AWS account. To learn how to create the required resources and set up GitLab Duo with Amazon Q, see [Set up GitLab Duo with Amazon Q](https://docs.gitlab.com/ee/user/duo_amazon_q/setup.html) in the _GitLab documentation_.
+As part of the GitLab Duo onboarding process, you need to create an Amazon Q Developer profile through the [Amazon Q Developer console](https://console.aws.amazon.com/amazonq/developer/home). The profile allows you to create customization and control settings for all or a subset of users in your identity provider. After creating a profile, you need an OpenID Connect (OIDC) identity provider (IdP), as well as an IAM service role, to establish trust between GitLab Duo and your AWS account. To learn how to create the required resources and set up GitLab Duo with Amazon Q, see [Set up GitLab Duo with Amazon Q](https://docs.gitlab.com/ee/user/duo_amazon_q/setup.html) in the _GitLab documentation_.
@@ -49 +45 @@ When the new IAM role is created, the required trust policy with the necessary p
-You need to create an inline policy, which grants permission to connect with Amazon Q and utilize the features in the GitLab Duo with Amazon Q integration. The policy is added to the IAM role created from the Amazon Q Developer console to access Amazon Q. For more information, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) and [Policies and permissions in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the _IAM User Guide_.
+You need to add a permissions policy, which grants ability to connect with Amazon Q and utilize the features in the GitLab Duo with Amazon Q integration. The policy must be added when creating the IAM role. To learn more about the permissions provided by the permissions policy, see [GitLabDuoWithAmazonQPermissionsPolicy](./managed-policy.html#amazonq-policy-GitLabDuoWithAmazonQPermissionsPolicy).
@@ -51 +47 @@ You need to create an inline policy, which grants permission to connect with Ama
-Optionally, you can also use customer managed keys (CMK) to encrypt your resources if you want full control over the lifecycle and usage of your key. The `kms:ViaService` condition key to limit who can use CMK for encrypting and decrypting content. For more information, see [Manage access to Amazon Q Developer for third-party integration](./security_iam_manage-access-with-kms-policies.html).
+Alternatively, you can create an inline policy and add the required permissions. You can choose to create an inline policy if you want to custom access control. For more information, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) and [Policies and permissions in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the _IAM User Guide_.
@@ -67 +63 @@ Optionally, you can also use customer managed keys (CMK) to encrypt your resourc
-                     "auth.token.gitlab.com/cc/oidc/{{Instance_ID}}": "gitlab-cc-{{Instance_ID}}"
+                     "auth.token.gitlab.com/cc/oidc/{{Instance_ID}}:aud": "gitlab-cc-{{Instance_ID}}"
@@ -75 +71 @@ Optionally, you can also use customer managed keys (CMK) to encrypt your resourc
-**Inline policy**
+**Permissions policy**
@@ -116,0 +113,2 @@ Optionally, you can also use customer managed keys (CMK) to encrypt your resourc
+Optionally, you can also use customer managed keys (CMK) to encrypt your resources if you want full control over the lifecycle and usage of your key. The `kms:ViaService` condition key to limit who can use CMK for encrypting and decrypting content. For more information, see [Manage access to Amazon Q Developer for third-party integration](./security_iam_manage-access-with-kms-policies.html).
+