AWS Security ChangesHomeSearch

AWS prometheus medium security documentation change

Service: prometheus · 2025-08-16 · Security-related medium

File: prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md

Summary

Updated IAM role configuration with specific OIDC provider ARN and added 'aud' claim condition

Security assessment

Added 'aud' (audience) claim validation to OIDC conditions ensures tokens are intended for AWS STS, preventing token misuse. This addresses potential misconfigurations in IAM trust policies.

Diff

diff --git a/prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md b/prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md
index 362786f43..9f1d540e7 100644
--- a//prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md
+++ b//prometheus/latest/userguide/AMP-onboard-ingest-metrics-OpenTelemetry.md
@@ -44,0 +45,6 @@ The ADOT Collector will use this role when it scrapes and exports metrics.
+JSON
+    
+
+****
+    
+    
@@ -51 +57 @@ The ADOT Collector will use this role when it scrapes and exports metrics.
-            "Federated": "arn:aws:iam::account-id:oidc-provider/oidc.eks.region.amazonaws.com/id/openid"
+            "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
@@ -56 +62,2 @@ The ADOT Collector will use this role when it scrapes and exports metrics.
-              "oidc.eks.region.amazonaws.com/id/openid:sub": "system:serviceaccount:adot-col:amp-iamproxy-ingest-service-account"
+              "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:adot-col:amp-iamproxy-ingest-service-account",
+              "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com"
@@ -64,0 +73,6 @@ The ADOT Collector will use this role when it scrapes and exports metrics.
+JSON
+    
+
+****
+    
+