- OIDC federation can be used to give temporary security credentials to users who have been authenticated through an OpenID Connect compatible identity provider (IdP) to an IAM OpenID Connect (OIDC) identity provider in your AWS environment. This section outlines control examples that govern the authorization mechanisms used by external OIDC identity providers (IdPs) to grant access to your organization's resources.
| Service Provider | Rational |
|---|---|
| Enforce trusted OIDC providers | Limit access to sts:AssumeRoleWithWebIdentity to only federated identities associated with a specific OIDC provider. |
| Enforce trusted OIDC tenants | Limit access to sts:AssumeRoleWithWebIdentity to only federated identities originating from your tenant of a trusted multi-tenant OIDC provider. |
| Default GitHub Actions | Help ensure that only repositories and jobs from your tenant within the github's SaaS environment can assume roles in your AWS accounts using AssumeRoleWithWebIdentity. This control is effective when you're using the default issuer URL shared by all github enviroments of tokens.actions.githubusercontent.com and uses part of the "sub" (subject) claim value to identify which tenant a given token calling AssumeRoleWithWebIdentity belongs to. For example, you can use StringLike"repo:<octo-org>/*"replacing with the expected value of your "enterprise slug" to deny access to your AWS accounts from github actions, except when the github action belongs to your tenant of github. |
| Deny the built in web identity providers (e.g., Facebook, Google, Login with Amazon, Cognito) | Deny the four built-in web identity providers (Google, Facebook, AWS Cognito and Login with Amazon) from assuming roles in your AWS accounts using AssumeRoleWithWebIdentity. |