AWS Security ChangesHomeSearch

AWS amazonq medium security documentation change

Service: amazonq · 2025-05-10 · Security-related medium

File: amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md

Summary

Updated SDK code examples to use TrustedIdentityPropagationPlugin with web token provider and clarified ARN parameters

Security assessment

The change replaces direct credential handling with a token provider pattern, which improves security by abstracting sensitive credential management. The renamed plugin ('TrustedIdentityPropagation') indicates enhanced identity verification flows.

Diff

diff --git a/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md b/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
index f874a2a7c..47c1723c9 100644
--- a//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
+++ b//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md
@@ -109 +109,9 @@ The following section outlines the steps to set up the Amazon Q Business control
-                        "Resource": "your-identity-center-custom-application-arn"
+                        "Resource": "your-identity-center-custom-application-arn",
+                        "Condition": {
+                            "ArnEquals": {
+                                "aws:SourceArn": "arn:${ArnPartition}:${Service}:${Region}:${AppAccountId}:${Resource}"
+                            },
+                            "StringEquals": {
+                                "aws:SourceAccount": "${AppAccountId}"
+                            }
+                        }
@@ -238,4 +246,4 @@ Use the Java or JavaScript SDK to create the plugin and make calls to Amazon Q B
-    TipPlugin tipPlugin = TipPlugin.builder()
-            .idToken(id token from Okta)
-            .ssoClientId(your custom IdC application arn)
-            .roleArn(your IAM role ARN)
+    TrustedIdentityPropagationPlugin tipPlugin = TrustedIdentityPropagationPlugin.builder()
+      .webTokenProvider(() -> id token from Okta)
+      .applicationArn(your custom IdC application arn)
+      .accessRoleArn(AccessRoleArn))