From 7002fa0ca96e273ff2f26ea0ce22e317784b67e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Conrad=20T=C3=B6tterman?= <conrad.totterman@paf.com>
Date: Fri, 19 Nov 2021 18:33:58 +0200
Subject: [PATCH] combine best of two worlds

---
 .../configuring-openid-connect-in-amazon-web-services.md       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
index 6f991207a3..52dc7d88c2 100644
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -42,7 +42,8 @@ By default, the validation only includes the audience (`aud`) condition, so you
 
 ```json{:copy}
 "Condition": {
-  "StringEquals": {
+  "ForAllValues:StringEquals": {
+    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
     "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
   }
 }