diff --git a/ci/plugins/scratch-aws-access/hooks/pre-command b/ci/plugins/scratch-aws-access/hooks/pre-command
index e57579c370e99..86ffa597bcb5f 100644
--- a/ci/plugins/scratch-aws-access/hooks/pre-command
+++ b/ci/plugins/scratch-aws-access/hooks/pre-command
@@ -15,7 +15,13 @@ set -euo pipefail
 
 ci_unimportant_heading "Assuming scratch AWS role"
 
-creds=$(aws sts assume-role --role-arn "$AWS_SCRATCH_ROLE_ARN" --duration-seconds 43200 --role-session-name ci)
+# Tag the session with the Buildkite job ID so CloudTrail attributes the
+# session to a specific build step. Falls back to a stable "unknown" so
+# the call still succeeds outside Buildkite (local dev). AWS source-identity
+# regex: [a-zA-Z0-9+=,.@_/-]+, max 64 chars; BUILDKITE_JOB_ID is a UUID.
+source_identity="${BUILDKITE_JOB_ID:-unknown}"
+
+creds=$(aws sts assume-role --role-arn "$AWS_SCRATCH_ROLE_ARN" --duration-seconds 43200 --role-session-name ci --source-identity "$source_identity")
 
 AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' <<< "$creds")
 AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' <<< "$creds")