AWS Security ChangesHomeSearch

AWS code-library high security documentation change

Service: code-library · 2026-05-01 · Security-related high

File: code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md

Summary

Added clarification about including multiple thumbprints when OIDC provider's discovery and JWKS endpoints use different certificates

Security assessment

This change addresses a security-critical configuration gap where using different certificates for discovery and JWKS endpoints could lead to trust validation failures. Without both thumbprints, token verification might fail or allow improperly validated tokens, creating authentication vulnerabilities.

Diff

diff --git a/code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md b/code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md
index 656570ee7..80ea291c4 100644
--- a//code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md
+++ b//code-library/latest/ug/iam_example_iam_UpdateOpenIdConnectProviderThumbprint_section.md
@@ -28,0 +29,2 @@ This example updates the certificate thumbprint list for the OIDC provider whose
+If your OIDC provider's discovery and JWKS endpoints use different certificates, include thumbprints for both endpoints in the `--thumbprint-list` value.
+