AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2026-07-10 · Security-related medium

File: IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md

Summary

Updated GitHub Actions OIDC configuration: removed 'job_workflow_ref' from required claims, now only requires 'sub' claim.

Security assessment

Removing 'job_workflow_ref' reduces the attack surface by simplifying required claims. This change directly impacts security configuration for GitHub OIDC integration and aligns with secure-by-default principles by minimizing claim requirements.

Diff

diff --git a/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md b/IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md
index 5141e9f00..66893a62b 100644
--- a//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md
+++ b//IAM/latest/UserGuide/id_roles_providers_oidc_secure-by-default.md
@@ -40 +40 @@ OIDC IdP | OIDC URL | Tenancy Claim | Required Claims
-[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub or job_workflow_ref |  `token.actions.githubusercontent.com:sub` or `token.actions.githubusercontent.com:job_workflow_ref`  
+[GitHub actions](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) | `https://token.actions.githubusercontent.com` | sub |  `token.actions.githubusercontent.com:sub`