Tweak AWS OIDC instructions (#11621)

* Tweak AWS OIDC instructions

* Only contents: read is necessary
* Remove :aud filter because it's set to "sts.amazonaws.com" when using aws-actions/configure-aws-credentials

* Update to be valid JSON, and actually remove :aud

Co-authored-by: hubwriter <hubwriter@github.com>

Author: aripollak

content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md

@@ -38,12 +38,11 @@ To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, se
 
 To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html).
 
-By default, the validation only includes the audience (`aud`) condition, so you must manually add a subject (`sub`) condition. Edit the trust relationship to add the `sub` field to the validation conditions. For example:
+Edit the trust relationship to add the `sub` field to the validation conditions. For example:
 
 ```json{:copy}
 "Condition": {
   "StringEquals": {
-    "token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
     "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
   }
 }
@@ -86,7 +85,7 @@ env:
 # permission can be added at job level or workflow level    
 permissions:
       id-token: write
-      contents: write    # This is required for actions/checkout@v1
+      contents: read    # This is required for actions/checkout@v1
 jobs:
   S3PackageUpload:
     runs-on: ubuntu-latest