diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/metadata.json b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/metadata.json
new file mode 100644
index 00000000000..591a7c5bc18
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/metadata.json
@@ -0,0 +1,13 @@
+{
+  "id": "4d8b6e2a-9f3c-4a1d-b7e5-8c2f0d6a3b9e",
+  "queryName": "IAM Role OIDC Trust Missing Sub Condition",
+  "severity": "HIGH",
+  "category": "Access Control",
+  "descriptionText": "An AWS IAM role that trusts an OIDC provider via 'sts:AssumeRoleWithWebIdentity' must include a condition that restricts the 'sub' (subject) claim. Without this condition, any identity that can obtain a token from the OIDC provider (any repository, project, or user) can assume the role.",
+  "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html",
+  "platform": "Terraform",
+  "descriptionID": "4d8b6e2a",
+  "cloudProvider": "aws",
+  "cwe": "284",
+  "riskScore": "8.5"
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/query.rego b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/query.rego
new file mode 100644
index 00000000000..ad158626fce
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/query.rego
@@ -0,0 +1,120 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+# aws_iam_role with inline JSON assume_role_policy: no sub condition
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_iam_role[name]
+	policy := common_lib.get_policy(resource.assume_role_policy)
+	st := common_lib.get_statement(policy)
+	statement := st[_]
+
+	common_lib.is_allow_effect(statement)
+	statement.Action == "sts:AssumeRoleWithWebIdentity"
+	statement.Principal.Federated
+	not has_sub_condition_json(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_role",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_role[%s].assume_role_policy", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("aws_iam_role[%s].assume_role_policy should have a condition restricting the OIDC 'sub' claim", [name]),
+		"keyActualValue": sprintf("aws_iam_role[%s].assume_role_policy has no 'sub' condition, allowing any identity from the OIDC provider to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "aws_iam_role", name, "assume_role_policy"], []),
+	}
+}
+
+# aws_iam_role, action as array (e.g. "Actions": ["sts:AssumeRoleWithWebIdentity"])
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_iam_role[name]
+	policy := common_lib.get_policy(resource.assume_role_policy)
+	st := common_lib.get_statement(policy)
+	statement := st[_]
+
+	common_lib.is_allow_effect(statement)
+	statement.Action[_] == "sts:AssumeRoleWithWebIdentity"
+	statement.Principal.Federated
+	not has_sub_condition_json(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_role",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_role[%s].assume_role_policy", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("aws_iam_role[%s].assume_role_policy should have a condition restricting the OIDC 'sub' claim", [name]),
+		"keyActualValue": sprintf("aws_iam_role[%s].assume_role_policy has no 'sub' condition, allowing any identity from the OIDC provider to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "aws_iam_role", name, "assume_role_policy"], []),
+	}
+}
+
+# aws_iam_policy_document (single statement): no sub condition
+CxPolicy[result] {
+	resource := input.document[i].data.aws_iam_policy_document[name]
+	not is_array(resource.statement)
+	statement := resource.statement
+
+	common_lib.is_allow_effect(statement)
+	statement.actions[_] == "sts:AssumeRoleWithWebIdentity"
+	lower(statement.principals.type) == "federated"
+	not has_sub_condition_hcl(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_policy_document",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_policy_document[%s].statement", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("aws_iam_policy_document[%s].statement should have a condition restricting the OIDC 'sub' claim", [name]),
+		"keyActualValue": sprintf("aws_iam_policy_document[%s].statement has no 'sub' condition, allowing any identity from the OIDC provider to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["data", "aws_iam_policy_document", name, "statement"], []),
+	}
+}
+
+# aws_iam_policy_document (array of statements): no sub condition
+CxPolicy[result] {
+	resource := input.document[i].data.aws_iam_policy_document[name]
+	is_array(resource.statement)
+	statement := resource.statement[_]
+
+	common_lib.is_allow_effect(statement)
+	statement.actions[_] == "sts:AssumeRoleWithWebIdentity"
+	lower(statement.principals.type) == "federated"
+	not has_sub_condition_hcl(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_policy_document",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_policy_document[%s].statement", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("aws_iam_policy_document[%s].statement should have a condition restricting the OIDC 'sub' claim", [name]),
+		"keyActualValue": sprintf("aws_iam_policy_document[%s].statement has no 'sub' condition, allowing any identity from the OIDC provider to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["data", "aws_iam_policy_document", name, "statement"], []),
+	}
+}
+
+# sub condition exists in inline JSON Condition block
+has_sub_condition_json(statement) {
+	statement.Condition[_][key]
+	endswith(key, ":sub")
+}
+
+has_sub_condition_json(statement) {
+	statement.condition[_][key]
+	endswith(key, ":sub")
+}
+
+# sub condition exists in HCL aws_iam_policy_document condition block
+has_sub_condition_hcl(statement) {
+	not is_array(statement.condition)
+	endswith(statement.condition.variable, ":sub")
+}
+
+has_sub_condition_hcl(statement) {
+	is_array(statement.condition)
+	endswith(statement.condition[_].variable, ":sub")
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/negative1.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/negative1.tf
new file mode 100644
index 00000000000..2c98eb448c6
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/negative1.tf
@@ -0,0 +1,23 @@
+resource "aws_iam_role" "negative1" {
+  name = "github-actions-role-safe"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+      },
+      "Condition": {
+        "StringEquals": {
+          "token.actions.githubusercontent.com:sub": "repo:myorg/myrepo:ref:refs/heads/main"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/negative2.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/negative2.tf
new file mode 100644
index 00000000000..e0e63bfb11f
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/negative2.tf
@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "negative2" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:myorg/myrepo:ref:refs/heads/main"]
+    }
+  }
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive1.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive1.tf
new file mode 100644
index 00000000000..efdce062a33
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive1.tf
@@ -0,0 +1,18 @@
+resource "aws_iam_role" "positive1" {
+  name = "github-actions-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive2.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive2.tf
new file mode 100644
index 00000000000..61e405d632f
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive2.tf
@@ -0,0 +1,23 @@
+resource "aws_iam_role" "positive2" {
+  name = "gitlab-ci-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.example.com"
+      },
+      "Condition": {
+        "StringEquals": {
+          "gitlab.example.com:aud": "https://gitlab.example.com"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive3.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive3.tf
new file mode 100644
index 00000000000..c494431a987
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive3.tf
@@ -0,0 +1,11 @@
+data "aws_iam_policy_document" "positive3" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"]
+    }
+  }
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive4.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive4.tf
new file mode 100644
index 00000000000..982b26da9c6
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive4.tf
@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "positive4" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::123456789012:oidc-provider/gitlab.example.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "gitlab.example.com:aud"
+      values   = ["https://gitlab.example.com"]
+    }
+  }
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive_expected_result.json
new file mode 100644
index 00000000000..06706d26326
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_missing_sub_condition/test/positive_expected_result.json
@@ -0,0 +1,26 @@
+[
+  {
+    "queryName": "IAM Role OIDC Trust Missing Sub Condition",
+    "severity": "HIGH",
+    "line": 4,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "IAM Role OIDC Trust Missing Sub Condition",
+    "severity": "HIGH",
+    "line": 4,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "IAM Role OIDC Trust Missing Sub Condition",
+    "severity": "HIGH",
+    "line": 2,
+    "fileName": "positive3.tf"
+  },
+  {
+    "queryName": "IAM Role OIDC Trust Missing Sub Condition",
+    "severity": "HIGH",
+    "line": 2,
+    "fileName": "positive4.tf"
+  }
+]
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/metadata.json b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/metadata.json
new file mode 100644
index 00000000000..1291982a94d
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/metadata.json
@@ -0,0 +1,13 @@
+{
+  "id": "7c1e5f3a-2b9d-4e6c-a8f0-1d3c7b5e9a2f",
+  "queryName": "IAM Role OIDC Trust Wildcard Sub Condition",
+  "severity": "HIGH",
+  "category": "Access Control",
+  "descriptionText": "An AWS IAM role that uses 'sts:AssumeRoleWithWebIdentity' should not allow a wildcard in the 'sub' (subject) claim condition. Using StringLike with a value where the repository or project segment is a wildcard (e.g. 'repo:*' or 'project_path:*:...') allows any repository or project on the OIDC provider to assume the role.",
+  "descriptionUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html",
+  "platform": "Terraform",
+  "descriptionID": "7c1e5f3a",
+  "cloudProvider": "aws",
+  "cwe": "284",
+  "riskScore": "8.5"
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/query.rego b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/query.rego
new file mode 100644
index 00000000000..d8122994f98
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/query.rego
@@ -0,0 +1,143 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+# aws_iam_role inline JSON: StringLike with loose wildcard sub condition (string action)
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_iam_role[name]
+	policy := common_lib.get_policy(resource.assume_role_policy)
+	st := common_lib.get_statement(policy)
+	statement := st[_]
+
+	common_lib.is_allow_effect(statement)
+	statement.Action == "sts:AssumeRoleWithWebIdentity"
+	statement.Principal.Federated
+	has_loose_wildcard_sub_json(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_role",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_role[%s].assume_role_policy", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("aws_iam_role[%s].assume_role_policy 'sub' condition should restrict access to a specific repository or project", [name]),
+		"keyActualValue": sprintf("aws_iam_role[%s].assume_role_policy 'sub' condition uses a wildcard that allows any repository or project to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "aws_iam_role", name, "assume_role_policy"], []),
+	}
+}
+
+# aws_iam_role inline JSON: StringLike with loose wildcard sub condition (array action)
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_iam_role[name]
+	policy := common_lib.get_policy(resource.assume_role_policy)
+	st := common_lib.get_statement(policy)
+	statement := st[_]
+
+	common_lib.is_allow_effect(statement)
+	statement.Action[_] == "sts:AssumeRoleWithWebIdentity"
+	statement.Principal.Federated
+	has_loose_wildcard_sub_json(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_role",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_role[%s].assume_role_policy", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("aws_iam_role[%s].assume_role_policy 'sub' condition should restrict access to a specific repository or project", [name]),
+		"keyActualValue": sprintf("aws_iam_role[%s].assume_role_policy 'sub' condition uses a wildcard that allows any repository or project to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "aws_iam_role", name, "assume_role_policy"], []),
+	}
+}
+
+# aws_iam_policy_document (single statement): loose wildcard sub condition
+CxPolicy[result] {
+	resource := input.document[i].data.aws_iam_policy_document[name]
+	not is_array(resource.statement)
+	statement := resource.statement
+
+	common_lib.is_allow_effect(statement)
+	statement.actions[_] == "sts:AssumeRoleWithWebIdentity"
+	lower(statement.principals.type) == "federated"
+	has_loose_wildcard_sub_hcl(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_policy_document",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_policy_document[%s].statement", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("aws_iam_policy_document[%s].statement 'sub' condition should restrict access to a specific repository or project", [name]),
+		"keyActualValue": sprintf("aws_iam_policy_document[%s].statement 'sub' condition uses a wildcard that allows any repository or project to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["data", "aws_iam_policy_document", name, "statement"], []),
+	}
+}
+
+# aws_iam_policy_document (array of statements): loose wildcard sub condition
+CxPolicy[result] {
+	resource := input.document[i].data.aws_iam_policy_document[name]
+	is_array(resource.statement)
+	statement := resource.statement[_]
+
+	common_lib.is_allow_effect(statement)
+	statement.actions[_] == "sts:AssumeRoleWithWebIdentity"
+	lower(statement.principals.type) == "federated"
+	has_loose_wildcard_sub_hcl(statement)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_policy_document",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_policy_document[%s].statement", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("aws_iam_policy_document[%s].statement 'sub' condition should restrict access to a specific repository or project", [name]),
+		"keyActualValue": sprintf("aws_iam_policy_document[%s].statement 'sub' condition uses a wildcard that allows any repository or project to assume the role", [name]),
+		"searchLine": common_lib.build_search_line(["data", "aws_iam_policy_document", name, "statement"], []),
+	}
+}
+
+# Detect loose wildcard sub in inline JSON:
+# StringLike operator with a sub key where the value is "*" or starts with "prefix:*"
+has_loose_wildcard_sub_json(statement) {
+	value := statement.Condition.StringLike[key]
+	endswith(key, ":sub")
+	is_loose_sub_value(value)
+}
+
+has_loose_wildcard_sub_json(statement) {
+	value := statement.Condition.StringLike[key][_]
+	endswith(key, ":sub")
+	is_loose_sub_value(value)
+}
+
+# Detect loose wildcard sub in HCL:
+# condition block with test=StringLike and variable ending in :sub, and a loose value
+has_loose_wildcard_sub_hcl(statement) {
+	not is_array(statement.condition)
+	lower(statement.condition.test) == "stringlike"
+	endswith(statement.condition.variable, ":sub")
+	value := statement.condition.values[_]
+	is_loose_sub_value(value)
+}
+
+has_loose_wildcard_sub_hcl(statement) {
+	is_array(statement.condition)
+	cond := statement.condition[_]
+	lower(cond.test) == "stringlike"
+	endswith(cond.variable, ":sub")
+	value := cond.values[_]
+	is_loose_sub_value(value)
+}
+
+# A sub value is too broad if:
+# - it is exactly "*" (matches all)
+# - it matches "prefix:*" where the first path segment after the provider prefix is a wildcard
+#   e.g. "repo:*", "project_path:*:ref_type:..."
+is_loose_sub_value(value) {
+	value == "*"
+}
+
+is_loose_sub_value(value) {
+	regex.match(`^[^:]+:\*`, value)
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/negative1.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/negative1.tf
new file mode 100644
index 00000000000..90ddb7114f3
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/negative1.tf
@@ -0,0 +1,23 @@
+resource "aws_iam_role" "negative1" {
+  name = "github-actions-specific-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+      },
+      "Condition": {
+        "StringEquals": {
+          "token.actions.githubusercontent.com:sub": "repo:myorg/myrepo:ref:refs/heads/main"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/negative2.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/negative2.tf
new file mode 100644
index 00000000000..70a0fbe0588
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/negative2.tf
@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "negative2" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:myorg/myrepo:ref:refs/heads/*"]
+    }
+  }
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive1.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive1.tf
new file mode 100644
index 00000000000..a95fda42552
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive1.tf
@@ -0,0 +1,23 @@
+resource "aws_iam_role" "positive1" {
+  name = "github-actions-wildcard-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+      },
+      "Condition": {
+        "StringLike": {
+          "token.actions.githubusercontent.com:sub": "repo:*"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive2.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive2.tf
new file mode 100644
index 00000000000..0829321a5c0
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive2.tf
@@ -0,0 +1,23 @@
+resource "aws_iam_role" "positive2" {
+  name = "gitlab-ci-wildcard-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:oidc-provider/gitlab.example.com"
+      },
+      "Condition": {
+        "StringLike": {
+          "gitlab.example.com:sub": "project_path:*:ref_type:branch:ref:*"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive3.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive3.tf
new file mode 100644
index 00000000000..fded461bc40
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive3.tf
@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "positive3" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:*"]
+    }
+  }
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive4.tf b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive4.tf
new file mode 100644
index 00000000000..d54b5511cd6
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive4.tf
@@ -0,0 +1,17 @@
+data "aws_iam_policy_document" "positive4" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::123456789012:oidc-provider/gitlab.example.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "gitlab.example.com:sub"
+      values   = ["project_path:*:ref_type:branch:ref:*"]
+    }
+  }
+}
diff --git a/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive_expected_result.json
new file mode 100644
index 00000000000..16782d7284d
--- /dev/null
+++ b/assets/queries/terraform/aws/iam_role_oidc_trust_wildcard_sub_condition/test/positive_expected_result.json
@@ -0,0 +1,26 @@
+[
+  {
+    "queryName": "IAM Role OIDC Trust Wildcard Sub Condition",
+    "severity": "HIGH",
+    "line": 4,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "IAM Role OIDC Trust Wildcard Sub Condition",
+    "severity": "HIGH",
+    "line": 4,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "IAM Role OIDC Trust Wildcard Sub Condition",
+    "severity": "HIGH",
+    "line": 2,
+    "fileName": "positive3.tf"
+  },
+  {
+    "queryName": "IAM Role OIDC Trust Wildcard Sub Condition",
+    "severity": "HIGH",
+    "line": 2,
+    "fileName": "positive4.tf"
+  }
+]