Wie vermeide ich den Fehler „Unable to validate the following destination configurations“ bei Lambda-Ereignisbenachrichtigungen in CloudFormation?

Wie behebe ich den Fehler „The specified queue does not exist or you do not have access to it.“, wenn ich einen AWS Glue Job ausführe, um Nachrichten an Amazon SQS in einer anderen Region zu senden?

Wie behebe ich den Fehler „Unable to validate the following destination configurations“ in AWS CloudFormation?

Wie komme ich nach der Integration des Identitätsanbieters in Amazon Cognito an von OIDC oder Social Identity Provider ausgestellte Token?

According to the [docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif), only a certain subset of claims in an OIDC token can be used as IAM condition keys. 

After tinkering around with it for a bit, I discovered that the `email` claim is also supported (i.e. `foo.onelogin.com/oidc/2:email`), however this is not documented.

Assuming I have an ID token like the following:
```json
{
  "sub": "...",
  "email": "my-email@example.com",
  "preferred_username": "some-user",
  "name": "Some Person",
  "params": {
    "department": "engineering"
  },
  "at_hash": "...",
  "sid": "....",
  "aud": "....",
  "exp": 1643911968,
  "iat": 1643904768,
  "iss": "https://foo.onelogin.com/oidc/2"
}
```
**How would one be able to create a trust policy that restricts access based on `params.department`?**

The following trust policy **does not** work:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::1234:oidc-provider/foo.onelogin.com/oidc/2"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "foo.onelogin.com/oidc/2:params.department": "engineering",
          "foo.onelogin.com/oidc/2:aud": "...."
        }
      }
    }
  ]
}
```

IAM Condition keys: How to access nested attributes in custom OIDC token claims?

Relevanter Inhalt