From 57940c9b5e995d810d8e2f2a0729fe4af80f52d7 Mon Sep 17 00:00:00 2001
From: Luca Cavallin <14332663+lucavallin@users.noreply.github.com>
Date: Fri, 31 May 2024 16:46:40 +0200
Subject: [PATCH] Rephrase OIDC security hardening guide for GHES wrt "publicly
 accessible endpoints" (#50882)

Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
---
 .../configuring-openid-connect-in-amazon-web-services.md     | 5 +++++
 .../configuring-openid-connect-in-azure.md                   | 2 +-
 data/reusables/actions/oidc-endpoints.md                     | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
index 64f864d6b9..9946d1fe40 100644
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -32,6 +32,11 @@ This guide explains how to configure AWS to trust {% data variables.product.prod
   <!-- This note is indented to align with the above reusable. -->
   {% note %}
 
+  **Note:** You can restrict access to the OIDC endpoints by allowing only [AWS IP address ranges](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html).
+
+  {% endnote %}
+  {% note %}
+
   **Note:** {% data variables.product.prodname_dotcom %} does not natively support AWS session tags.
 
   {% endnote %}
diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
index f6d406b7b0..8f02dc0c9e 100644
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
@@ -10,7 +10,7 @@ type: tutorial
 topics:
   - Security
 ---
- 
+
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 ## Overview
diff --git a/data/reusables/actions/oidc-endpoints.md b/data/reusables/actions/oidc-endpoints.md
index f29480e765..005015a1fe 100644
--- a/data/reusables/actions/oidc-endpoints.md
+++ b/data/reusables/actions/oidc-endpoints.md
@@ -1,3 +1,3 @@
-- You must enable the following publicly accessible endpoints:
+- You must ensure the following OIDC endpoints are accessible by your cloud provider:
   - `https://HOSTNAME/_services/token/.well-known/openid-configuration`
   - `https://HOSTNAME/_services/token/.well-known/jwks`