AWS amazonq high security documentation change
Summary
Added IAM policy conditions enforcing source ARN and account validation for Identity Center application access
Security assessment
The added Condition block implements resource-based access controls (ArnEquals and StringEquals) to restrict access to specific sources. This hardens security by preventing cross-account or unauthorized resource access through explicit policy constraints.
Diff
diff --git a/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md b/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md index f874a2a7c..47c1723c9 100644 --- a//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md +++ b//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md @@ -109 +109,9 @@ The following section outlines the steps to set up the Amazon Q Business control - "Resource": "your-identity-center-custom-application-arn" + "Resource": "your-identity-center-custom-application-arn", + "Condition": { + "ArnEquals": { + "aws:SourceArn": "arn:${ArnPartition}:${Service}:${Region}:${AppAccountId}:${Resource}" + }, + "StringEquals": { + "aws:SourceAccount": "${AppAccountId}" + } + } @@ -238,4 +246,4 @@ Use the Java or JavaScript SDK to create the plugin and make calls to Amazon Q B - TipPlugin tipPlugin = TipPlugin.builder() - .idToken(id token from Okta) - .ssoClientId(your custom IdC application arn) - .roleArn(your IAM role ARN) + TrustedIdentityPropagationPlugin tipPlugin = TrustedIdentityPropagationPlugin.builder() + .webTokenProvider(() -> id token from Okta) + .applicationArn(your custom IdC application arn) + .accessRoleArn(AccessRoleArn))