AWS Security ChangesHomeSearch

AWS iot documentation change

Service: iot · 2026-04-10 · Documentation medium

File: iot/latest/developerguide/iam-users-groups-roles.md

Summary

Added documentation about proper signing behavior for temporary security credentials in AWS IoT HTTP connections, specifically that X-Amz-Security-Token should not be included in canonical query string

Security assessment

This adds important security documentation about correct authentication implementation for AWS IoT. While it doesn't address a specific security vulnerability, it provides guidance to prevent authentication failures and potential security issues from incorrect implementation.

Diff

diff --git a/iot/latest/developerguide/iam-users-groups-roles.md b/iot/latest/developerguide/iam-users-groups-roles.md
index edd229da8..e20780c4b 100644
--- a//iot/latest/developerguide/iam-users-groups-roles.md
+++ b//iot/latest/developerguide/iam-users-groups-roles.md
@@ -12,0 +13,13 @@ For message broker connections over HTTP, AWS IoT authenticates users, groups, a
+When authenticating requests using query parameters with [temporary security credentials provided by AWS Security Token Service (AWS STS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html), do not include `X-Amz-Security-Token` in the canonical query string when calculating the signature. Instead, append `X-Amz-Security-Token` as a query parameter after the signature has been computed. This differs from some other AWS services that require the security token to be part of the canonical request. For more information, see [ Signing requests with temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html#temporary-security-credentials).
+
+###### Note
+
+The AWS IoT Device SDKs handle this signing behavior automatically. If you are implementing custom signing code, refer to the SDK source for reference:
+
+  * [AWS IoT Device SDK for Python v2](https://github.com/aws/aws-iot-device-sdk-python-v2/blob/main/awsiot/mqtt_connection_builder.py) — see `websockets_with_default_aws_signing()`, which sets `omit_session_token=True`
+
+  * [AWS IoT Device SDK for Java v2](https://github.com/aws/aws-iot-device-sdk-java-v2/blob/main/sdk/src/main/java/software/amazon/awssdk/iot/AwsIotMqttConnectionBuilder.java) — see `setOmitSessionToken(true)`
+
+
+
+