From d4bb0351f5b3c9c95b73300d98d3b2f3de8da3c0 Mon Sep 17 00:00:00 2001
From: Chris Patterson <chrispat@github.com>
Date: Tue, 26 Apr 2022 16:58:00 -0400
Subject: [PATCH] Minor change to IAM Policy example
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ForAllValues operator is used. It should be removed, since it applies only to multi-valued condition keys. In this case, the GH “tokens.action.githubusercontent.com:aud/sub” condition keys only have a single value. This will indicate IAM policy warnings to the customer in AWS’s Access Analyzer service since this is incorrect.
---
 .../configuring-openid-connect-in-amazon-web-services.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
index 52ba90e107..9939accf88 100644
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -42,7 +42,7 @@ Edit the trust relationship to add the `sub` field to the validation conditions.
 
 ```json{:copy}
 "Condition": {
-  "ForAllValues:StringEquals": {
+  "StringEquals": {
     "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
     "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
   }