diff --git a/.gitignore b/.gitignore
index 90cd78b57e89..829b6b801e26 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,8 @@ target
 .vscode
 *.log
 *.DS_Store
+package-lock.json
+node_modules
 _site
 dependency-reduced-pom.xml
 LICENSE.BINARY
diff --git a/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java b/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
index 6e93d4a4c4db..165ccc2d8518 100644
--- a/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
+++ b/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSCredentialsUtils.java
@@ -24,6 +24,7 @@
 import com.amazonaws.auth.EnvironmentVariableCredentialsProvider;
 import com.amazonaws.auth.InstanceProfileCredentialsProvider;
 import com.amazonaws.auth.SystemPropertiesCredentialsProvider;
+import com.amazonaws.auth.WebIdentityTokenCredentialsProvider;
 import com.amazonaws.auth.profile.ProfileCredentialsProvider;
 
 public class AWSCredentialsUtils
@@ -35,6 +36,7 @@ public static AWSCredentialsProviderChain defaultAWSCredentialsProviderChain(fin
         new LazyFileSessionCredentialsProvider(config),
         new EnvironmentVariableCredentialsProvider(),
         new SystemPropertiesCredentialsProvider(),
+        WebIdentityTokenCredentialsProvider.create(),
         new ProfileCredentialsProvider(),
         new EC2ContainerCredentialsProviderWrapper(),
         InstanceProfileCredentialsProvider.getInstance());
diff --git a/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSModule.java b/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSModule.java
index 79b60c956c34..59c9386e1cf2 100644
--- a/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSModule.java
+++ b/cloud/aws-common/src/main/java/org/apache/druid/common/aws/AWSModule.java
@@ -21,7 +21,7 @@
 
 import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.services.ec2.AmazonEC2;
-import com.amazonaws.services.ec2.AmazonEC2Client;
+import com.amazonaws.services.ec2.AmazonEC2ClientBuilder;
 import com.fasterxml.jackson.databind.Module;
 import com.google.inject.Binder;
 import com.google.inject.Provides;
@@ -54,7 +54,7 @@ public AWSCredentialsProvider getAWSCredentialsProvider(final AWSCredentialsConf
   @LazySingleton
   public AmazonEC2 getEc2Client(AWSCredentialsProvider credentials)
   {
-    return new AmazonEC2Client(credentials);
+    return AmazonEC2ClientBuilder.defaultClient();
   }
 
   @Override
diff --git a/docs/development/extensions-core/s3.md b/docs/development/extensions-core/s3.md
index b30ba4ce83ab..5bb56fb7eb46 100644
--- a/docs/development/extensions-core/s3.md
+++ b/docs/development/extensions-core/s3.md
@@ -72,9 +72,10 @@ Druid uses the following credentials provider chain to connect to your S3 bucket
 |2|Custom properties file| Based on custom properties file where you can supply `sessionToken`, `accessKey` and `secretKey` values. This file is provided to Druid through `druid.s3.fileSessionCredentials` properties|
 |3|Environment variables|Based on environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`|
 |4|Java system properties|Based on JVM properties `aws.accessKeyId` and `aws.secretKey` |
-|5|Profile information|Based on credentials you may have on your druid instance (generally in `~/.aws/credentials`)|
-|6|ECS container credentials|Based on environment variables available on AWS ECS (AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI) as described in the [EC2ContainerCredentialsProviderWrapper documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EC2ContainerCredentialsProviderWrapper.html)|
-|7|Instance profile information|Based on the instance profile you may have attached to your druid instance|
+|5|WebIdentityTokenCredentials file|Based on environment variables `WEB_IDENTITY_TOKEN_FILE`|
+|6|Profile information|Based on credentials you may have on your druid instance (generally in `~/.aws/credentials`)|
+|7|ECS container credentials|Based on environment variables available on AWS ECS (AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI) as described in the [EC2ContainerCredentialsProviderWrapper documentation](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EC2ContainerCredentialsProviderWrapper.html)|
+|8|Instance profile information|Based on the instance profile you may have attached to your druid instance|
 
 You can find more information about authentication method [here](https://docs.aws.amazon.com/fr_fr/sdk-for-java/v1/developer-guide/credentials.html)<br/>
 **Note :** *Order is important here as it indicates the precedence of authentication methods.<br/>
diff --git a/licenses.yaml b/licenses.yaml
index a83f20d54f6c..74c8789edfbf 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -162,7 +162,7 @@ name: AWS SDK for Java
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 1.11.199
+version: 1.11.836
 libraries:
   - com.amazonaws: aws-java-sdk-core
   - com.amazonaws: aws-java-sdk-ec2
@@ -3282,7 +3282,7 @@ name: AWS SDK for Java
 license_category: binary
 module: extensions/druid-kinesis-indexing-service
 license_name: Apache License version 2.0
-version: 1.11.199
+version: 1.11.836
 libraries:
   - com.amazonaws: aws-java-sdk-kinesis
   - com.amazonaws: aws-java-sdk-sts
diff --git a/pom.xml b/pom.xml
index daa9ff71c53d..67b67f246aab 100644
--- a/pom.xml
+++ b/pom.xml
@@ -110,7 +110,7 @@
         <hadoop.compile.version>2.8.5</hadoop.compile.version>
         <mockito.version>3.2.4</mockito.version>
         <powermock.version>2.0.2</powermock.version>
-        <aws.sdk.version>1.11.199</aws.sdk.version>
+        <aws.sdk.version>1.11.836</aws.sdk.version>
         <caffeine.version>2.8.0</caffeine.version>
         <!-- Curator requires 3.4.x ZooKeeper clients to maintain compatibility with 3.4.x ZooKeeper servers,
              If we upgrade to 3.5.x clients, curator requires 3.5.x servers, which would break backwards compatibility