AWS signin documentation change
Summary
Added IAM policy ARNs for controlling same-device and cross-device authentication methods in AWS CLI sign-in.
Security assessment
Introduces resource ARNs (arn:aws:signin:...oauth2/public-client/localhost|remote) to enforce granular access control for authentication methods. While this documents security hardening capabilities, there's no evidence it addresses a specific security incident.
Diff
diff --git a/signin/latest/userguide/command-line-sign-in.md b/signin/latest/userguide/command-line-sign-in.md index a0599aa00..9686399b8 100644 --- a//signin/latest/userguide/command-line-sign-in.md +++ b//signin/latest/userguide/command-line-sign-in.md @@ -42,0 +43,8 @@ The `aws login` command supports several optional parameters: +###### Note + +You can control access to same-device (`aws login`) and cross-device (`aws login --remote`) authentication. Use the following resource ARNs in any relevant IAM policy. + + * `arn:aws:signin:`region`:`account-id`:oauth2/public-client/localhost` — Use this ARN for same-device authentication with `aws login`. + + * `arn:aws:signin:`region`:`account-id`:oauth2/public-client/remote` — Use this ARN for cross-device authentication with `aws login --remote`. + @@ -51 +59 @@ The `aws login` command supports several optional parameters: - $ aws sso logout + $ aws logout