spec/NOTES.aws-auth.md in mongo-2.13.3 vs spec/NOTES.aws-auth.md in mongo-2.14.0.rc1

@@ -143,17 +143,20 @@
   This error is also produced if the value of the header erroneously includes
   the name of the header (i.e. the header name is specified twice in the header
   line) but the value is otherwise completely valid. This error has no relation
   to the "session token" or "security token" as used with temporary AWS
   credentials.
-- *The security token included in the request is invalid*: this error is
-  produced when the AWS access key id, as specified in the scope part of the
-  `Authorization` header, is not a valid access key id. In the case of
-  non-temporary credentials being used for authentication, the error refers to
-  a "security token" but the authentication process does not actually use a
-  security token as this term is used in the AWS documentation describing
-  temporary credentials.
+- *The security token included in the request is invalid*: this error can be
+  produced in several circumstances:
+  - When the AWS access key id, as specified in the scope part of the
+    `Authorization` header, is not a valid access key id. In the case of
+    non-temporary credentials being used for authentication, the error refers to
+    a "security token" but the authentication process does not actually use a
+    security token as this term is used in the AWS documentation describing
+    temporary credentials.
+  - When using temporary credentials and the security token is not provided
+    in the STS request at all (x-amz-security-token header).
 - *Signature expired: 20200317T000000Z is now earlier than 20200317T222541Z
   (20200317T224041Z - 15 min.)*: This error happens when `x-amz-date` header
   value is the formatted date (`YYYYMMDD`) rather than the ISO8601 formatted
   time (`YYYYMMDDTHHMMSSZ`). Note that the string `20200317T000000Z` is never
   explicitly provided in the request - it is derived by AWS from the provided
@@ -165,9 +168,11 @@
   request is valid. If a different error is produced, most likely the problem
   is in something other than signature calculation.
 - *The security token included in the request is expired*: this error is
   produced when temporary credentials are used and the credentials have
   expired.
+
+See also [AWS documentation for STS error messages](https://docs.aws.amazon.com/STS/latest/APIReference/CommonErrors.html).
 
 ### Resources
 
 Generally I found Amazon's own documentation to be the best for implementing
 the signature calculation. The following documents should be read in order: