AWS Security ChangesHomeSearch

AWS signin documentation change

Service: signin · 2026-06-16 · Documentation high

File: signin/latest/userguide/best-practices-admin.md

Summary

Added network-based access controls guidance including Sign-in resource policies, RCPs, VPC endpoints, and recovery mechanisms

Security assessment

Documents layered network security controls for console access, explicitly covering security features like resource-based policies and recovery access configurations

Diff

diff --git a/signin/latest/userguide/best-practices-admin.md b/signin/latest/userguide/best-practices-admin.md
index 592d93e46..9e2c69f83 100644
--- a//signin/latest/userguide/best-practices-admin.md
+++ b//signin/latest/userguide/best-practices-admin.md
@@ -40,0 +41,2 @@ If you’re an account administrator who has created a new AWS account, we recom
+  7. Implement network-based access controls: Use Sign-in resource-based policies or resource control policies (RCPs) to restrict console sign-in to requests from approved IP address ranges or VPCs. For environments using Console Private Access, configure VPC endpoint policies to control which accounts can be accessed through your endpoints (see [Console Private Access](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/console-private-access.html)). Together, Sign-in resource-based policies, RCPs, and VPC endpoint policies provide layered network controls at different enforcement points. For root users, Sign-in policies block the credential page entirely on access attempts from unauthorized networks. AWS recommends configuring excluded principals for recovery access to prevent account lockout, though this is optional. For more information, see [Controlling console access with resource-based policies and resource control policies](./console-access-control.html).
+