diff --git a/packages/aws-cdk-lib/aws-iam/README.md b/packages/aws-cdk-lib/aws-iam/README.md
index 686c0b443172f..2da42c6819e09 100644
--- a/packages/aws-cdk-lib/aws-iam/README.md
+++ b/packages/aws-cdk-lib/aws-iam/README.md
@@ -707,6 +707,14 @@ thumbprint of the root certificate authority (CA) will automatically be obtained
 from the host as described
 [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html).
 
+Byy default, the custom resource enforces strict security practices by rejecting
+any unauthorized connections when downloading CA thumbprints from the issuer URL.
+If you need to connect to an unauthorized OIDC identity provider and understand the
+implications, you can disable this behavior by setting the feature flag
+`IAM_OIDC_REJECT_UNAUTHORIZED_CONNECTIONS` to `false` in your `cdk.context.json`
+or `cdk.json`. Visit [CDK Feature Flag](https://docs.aws.amazon.com/cdk/v2/guide/featureflags.html)
+for more information on how to configure feature flags.
+
 Once you define an OpenID connect provider, you can use it with AWS services
 that expect an IAM OIDC provider. For example, when you define an [Amazon
 Cognito identity