- OIDC federation can be used to give temporary security credentials to users who have been authenticated through an OpenID Connect compatible identity provider (IdP) to an IAM OpenID Connect (OIDC) identity provider in your AWS environment. This section outlines control examples that govern the authorization mechanisms used by external OIDC identity providers (IdPs) to grant access to your organization's resources.
| Service Provider | Rational |
|---|---|
| Enforce trusted OIDC providers | Limit access to sts:AssumeRoleWithWebIdentity to only federated identities associated with a specific OIDC provider with a dedicated. |
| Enforce trusted OIDC tenants | Limit access to sts:AssumeRoleWithWebIdentity to only federated identities originating from your tenant of a trusted multi-tenant OIDC provider. |
| Enforce only trusted GitHub Organizations when using Github's default issuer | Help ensure that only repositories and jobs from your tenant within the github's SaaS environment can assume roles in your AWS accounts using AssumeRoleWithWebIdentity. This control is effective when you're using the default issuer URL shared by all github enviroments of tokens.actions.githubusercontent.com and uses part of the "sub" (subject) claim value to identify which tenant a given token calling AssumeRoleWithWebIdentity belongs to. For example, you can use StringLike"repo:<octo-org>/*"replacing with the expected value of your "enterprise slug" to deny access to your AWS accounts from github actions, except when the github action belongs to your tenant of github. |
| Deny the built in web identity providers (e.g., Facebook, Google, Login with Amazon, Cognito) | Deny the four built-in web identity providers (Google, Facebook, AWS Cognito and Login with Amazon) from assuming roles in your AWS accounts using AssumeRoleWithWebIdentity. |
Enforce only specific tenants within providers with a shared issuer URL
Some third party services that integrate with AWS using OIDC use a shared "issuer" (iss) URL for all their tenants within their service. The use of a shared issuer URL means that IAM roles configured to use these third party services' OIDC integrations require checks with condition keys in their role trust policies to ensure that other tenants from those third party services beyond what you intend cannot assume your IAM roles and access your AWS resources.
These example RCP statements when applied help ensure that only your tenant from these third party services that integrate with AWS using OIDC can assume your roles and access your resources, even when a role trust policy is misconfigured and is not checking for the tenancy. The sample policy has one statement per a service's issuer URL with the example controls based on their documentation to help ensure that only your tenant from their platform can assume your IAM roles. The placeholder value to identify tenancy with these services located within the angle brackets, "<>" , is the term used by each services' documentation. To use the sample policy, you only need to use the statements for the third party services that you wish to use in your AWS organization.
Here is a list of the service providers covered in this sample, and their documentation:
This list may not include all possible third party service providers that use a shared issuer URL with their OIDC integration to access AWS accounts. Please review all relevant documentation from your service providers to ensure your security objectives are met when configuring an OIDC integration to AWS from your third party service providers.
Please note this sample with all providers, and all the included whitespace is larger than the RCP size limit. You can reduce the size of the policy by removing statements for unneeded providers and removing whitespace.