diff --git a/apps/api/.env.example b/apps/api/.env.example
index fedfeaf98a..e2fea0ab10 100644
--- a/apps/api/.env.example
+++ b/apps/api/.env.example
@@ -58,4 +58,5 @@ SECURITY_HUB_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID=
 SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY=
-SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
+# Optional: only set when using temporary GovCloud credentials. Leave unset for long-lived IAM user keys.
+# SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
diff --git a/apps/api/src/cloud-security/aws-partition.utils.spec.ts b/apps/api/src/cloud-security/aws-partition.utils.spec.ts
index 5f9f313092..b6dadf07ea 100644
--- a/apps/api/src/cloud-security/aws-partition.utils.spec.ts
+++ b/apps/api/src/cloud-security/aws-partition.utils.spec.ts
@@ -57,12 +57,11 @@ describe('aws partition utils', () => {
   it('uses explicit GovCloud base credentials when configured', () => {
     process.env.SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID = 'AKIAGOV';
     process.env.SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY = 'secret';
-    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'token';
+    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'placeholder';
 
     expect(getAwsBaseCredentials('aws-us-gov')).toEqual({
       accessKeyId: 'AKIAGOV',
       secretAccessKey: 'secret',
-      sessionToken: 'token',
     });
     expect(getAwsBaseCredentials('aws')).toBeUndefined();
 
diff --git a/apps/api/src/cloud-security/aws-partition.utils.ts b/apps/api/src/cloud-security/aws-partition.utils.ts
index ce0596b0c0..3c30ad808e 100644
--- a/apps/api/src/cloud-security/aws-partition.utils.ts
+++ b/apps/api/src/cloud-security/aws-partition.utils.ts
@@ -41,7 +41,6 @@ export function getAwsBaseCredentials(
   return {
     accessKeyId,
     secretAccessKey,
-    sessionToken: process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN,
   };
 }
 
diff --git a/apps/api/src/evidence-forms/evidence-forms.service.ts b/apps/api/src/evidence-forms/evidence-forms.service.ts
index f8abc214d5..b1589ed906 100644
--- a/apps/api/src/evidence-forms/evidence-forms.service.ts
+++ b/apps/api/src/evidence-forms/evidence-forms.service.ts
@@ -196,16 +196,16 @@ export class EvidenceFormsService {
       );
     }
 
-    const base64Pattern = /^[A-Za-z0-9+/]+={0,2}$/;
-    if (!base64Pattern.test(normalized)) {
+    const fileBuffer = Buffer.from(normalized, 'base64');
+
+    if (fileBuffer.toString('base64') !== normalized) {
       throw new BadRequestException(
         'Invalid file data. Expected base64 string.',
       );
     }
 
-    const fileBuffer = Buffer.from(normalized, 'base64');
     if (!fileBuffer.length) {
-      throw new BadRequestException('File cannot be empty');
+      throw new BadRequestException('File cannot be empty.');
     }
 
     return fileBuffer;