A neat pattern for web apps in AWS:

Log in a user with OIDC

Use the ID token with AssumeRoleWithWebIdentity to get STS creds

Use the `sub` identifier as a Role policy variable to grant access to namespaced resources in S3 or DynamoDB

This means your app can't access a user's data unless they're actually logged in *right now*. A great way to eliminate ambient authority and reduce blast radius.

See my awesome colleague @probablyfine's PoC: https://github.com/mrwilson/govuk-onelogin-webidentity-spike