AWS Security ChangesHomeSearch

AWS signin documentation change

Service: signin · 2026-02-13 · Documentation medium

File: signin/latest/userguide/command-line-sign-in.md

Summary

Added IAM policy ARNs for controlling same-device and cross-device authentication methods in AWS CLI sign-in.

Security assessment

Introduces resource ARNs (arn:aws:signin:...oauth2/public-client/localhost|remote) to enforce granular access control for authentication methods. While this documents security hardening capabilities, there's no evidence it addresses a specific security incident.

Diff

diff --git a/signin/latest/userguide/command-line-sign-in.md b/signin/latest/userguide/command-line-sign-in.md
index a0599aa00..9686399b8 100644
--- a//signin/latest/userguide/command-line-sign-in.md
+++ b//signin/latest/userguide/command-line-sign-in.md
@@ -42,0 +43,8 @@ The `aws login` command supports several optional parameters:
+###### Note
+
+You can control access to same-device (`aws login`) and cross-device (`aws login --remote`) authentication. Use the following resource ARNs in any relevant IAM policy.
+
+       * `arn:aws:signin:`region`:`account-id`:oauth2/public-client/localhost` — Use this ARN for same-device authentication with `aws login`.
+
+       * `arn:aws:signin:`region`:`account-id`:oauth2/public-client/remote` — Use this ARN for cross-device authentication with `aws login --remote`.
+
@@ -51 +59 @@ The `aws login` command supports several optional parameters:
-        $ aws sso logout
+        $ aws logout