AWS Security ChangesHomeSearch

AWS amazonq high security documentation change

Service: amazonq · 2025-05-10 · Security-related high

File: amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md

Summary

Added IAM policy conditions enforcing source ARN and account validation for Identity Center application access

Security assessment

The added Condition block implements resource-based access controls (ArnEquals and StringEquals) to restrict access to specific sources. This hardens security by preventing cross-account or unauthorized resource access through explicit policy constraints.

Diff

diff --git a/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md b/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
index f874a2a7c..47c1723c9 100644
--- a//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
+++ b//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
@@ -109 +109,9 @@ The following section outlines the steps to set up the Amazon Q Business control
-                        "Resource": "your-identity-center-custom-application-arn"
+                        "Resource": "your-identity-center-custom-application-arn",
+                        "Condition": {
+                            "ArnEquals": {
+                                "aws:SourceArn": "arn:${ArnPartition}:${Service}:${Region}:${AppAccountId}:${Resource}"
+                            },
+                            "StringEquals": {
+                                "aws:SourceAccount": "${AppAccountId}"
+                            }
+                        }
@@ -238,4 +246,4 @@ Use the Java or JavaScript SDK to create the plugin and make calls to Amazon Q B
-    TipPlugin tipPlugin = TipPlugin.builder()
-            .idToken(id token from Okta)
-            .ssoClientId(your custom IdC application arn)
-            .roleArn(your IAM role ARN)
+    TrustedIdentityPropagationPlugin tipPlugin = TrustedIdentityPropagationPlugin.builder()
+      .webTokenProvider(() -> id token from Okta)
+      .applicationArn(your custom IdC application arn)
+      .accessRoleArn(AccessRoleArn))