🟡 Medium | Source: AWS Security Blog
AWS has introduced support for resource-based policies and resource control policies (RCPs) on AWS Sign-In, allowing organisations to restrict who can access the AWS Management Console and CLI based on network origin. This means administrators can limit sign-in attempts to known corporate networks, on-premises data centres, or specific VPCs. It is a significant preventive control against unauthorised console access from unexpected or untrusted locations.
Security Architect’s Take: Evaluate deploying RCPs at the AWS Organizations level to enforce network-based sign-in restrictions across all member accounts — this is a strong detective and preventive control that can block credential-based attacks originating outside your trusted network perimeter. Combine with existing SCPs and IAM policies for defence-in-depth.
Original advisory: Restrict AWS Management Console access to expected networks with sign-in resource-based policies and RCPs