AWS rolled out a new aws login CLI command using OAuth 2.0 with PKCE. It grabs short-lived credentials, finally pushing out those dusty long-lived access keys.
But here’s the hitch: The remote login flow opens up a phishing gap. Since the CLI session and browser session aren’t bound, attackers could spoof the flow and dodge phishing-resistant MFA.
Why it matters: Ephemeral creds are a win for security. But without tighter session binding and clear user guidance, this move leaves an open flank. AWS is raising the bar, but teams will need to follow suit.
