AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2026-05-28 · Documentation medium

File: IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md

Summary

Updated GitHub Actions OIDC requirements to accept job_workflow_ref claim.

Security assessment

Expands secure-by-default configuration options for GitHub OIDC without referencing a specific security issue. Enhances authentication granularity.

Diff

diff --git a/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md b/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md
index 66893a62b..5141e9f00 100644
--- a//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md
+++ b//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md
@@ -40 +40 @@ OIDC IdP | OIDC URL | Tenancy Claim | Required Claims
-[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub |  `token.actions.githubusercontent.com:sub`  
+[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub or job_workflow_ref |  `token.actions.githubusercontent.com:sub` or `token.actions.githubusercontent.com:job_workflow_ref`