AWS IAM medium security documentation change
Summary
Updated GitHub Actions OIDC configuration: removed 'job_workflow_ref' from required claims, now only requires 'sub' claim.
Security assessment
Removing 'job_workflow_ref' reduces the attack surface by simplifying required claims. This change directly impacts security configuration for GitHub OIDC integration and aligns with secure-by-default principles by minimizing claim requirements.
Diff
diff --git a/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md b/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md index 5141e9f00..66893a62b 100644 --- a//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md +++ b//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md @@ -40 +40 @@ OIDC IdP | OIDC URL | Tenancy Claim | Required Claims -[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub or job_workflow_ref | `token.actions.githubusercontent.com:sub` or `token.actions.githubusercontent.com:job_workflow_ref` +[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub | `token.actions.githubusercontent.com:sub`