diff --git a/lib/utils/aws/aws.go b/lib/utils/aws/aws.go
index dfdba5feea7b8..8b8dd134093e2 100644
--- a/lib/utils/aws/aws.go
+++ b/lib/utils/aws/aws.go
@@ -415,7 +415,7 @@ func checkRoleARN(parsed *arn.ARN) error {
 	if parts[0] != "role" || parsed.Service != iam.ServiceName {
 		return trace.BadParameter("%q is not an AWS IAM role ARN", parsed)
 	}
-	if len(parts) < 2 {
+	if len(parts) < 2 || len(parts[len(parts)-1]) == 0 {
 		return trace.BadParameter("%q is missing AWS IAM role name", parsed)
 	}
 	if err := apiawsutils.IsValidAccountID(parsed.AccountID); err != nil {
diff --git a/lib/utils/aws/aws_test.go b/lib/utils/aws/aws_test.go
index 25407a6575283..4d617e8842a6d 100644
--- a/lib/utils/aws/aws_test.go
+++ b/lib/utils/aws/aws_test.go
@@ -282,17 +282,25 @@ func TestParseRoleARN(t *testing.T) {
 			arn:             "arn:aws:iam::123456789012:user/test-user",
 			wantErrContains: "not an AWS IAM role",
 		},
-		"iam role arn is missing role name": {
+		"iam role arn is missing role name section": {
 			arn:             "arn:aws:iam::123456789012:role",
 			wantErrContains: "missing AWS IAM role name",
 		},
+		"iam role arn is missing role name": {
+			arn:             "arn:aws:iam::123456789012:role/",
+			wantErrContains: "missing AWS IAM role name",
+		},
+		"service role arn is missing role name": {
+			arn:             "arn:aws:iam::123456789012:role/aws-service-role/redshift.amazonaws.com/",
+			wantErrContains: "missing AWS IAM role name",
+		},
 	}
 
 	for name, tt := range tests {
 		t.Run(name, func(t *testing.T) {
 			got, err := ParseRoleARN(tt.arn)
 			if tt.wantErrContains != "" {
-				require.Error(t, err, err.Error())
+				require.Error(t, err)
 				require.ErrorContains(t, err, tt.wantErrContains)
 				return
 			}