How can I disable a user's password in AWS using boto3

0 votes

I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."

I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.

For access keys (but not passwords), we have the following:

client = session.client('iam')

... (get user and keyid) ...

last_used = client.get_access_key_last_used(AccessKeyId=keyid)

... (determine the age of the key) ...

if age >= 90:

    client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)

Does anyone have any pointers?

Sep 27, 2018 in AWS by bug_seeker
• 15,510 points
969 views

1 answer to this question.

0 votes

delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.

However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.

From Boto3 Documentation:

Warning

Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.

answered Sep 27, 2018 by Priyaj
• 57,700 points

Related Questions In AWS

0 votes
1 answer

How to create a VPC in AWS using Boto3?

Hi@akhtar, Amazon Web Services enables you to create ...READ MORE

answered Oct 9 in AWS by MD
• 65,480 points
24 views
0 votes
1 answer

How do I disable detailed monitoring for instances in an auto scaling group in a CloudFormation template?

The property you want is InstanceMonitoring, not ...READ MORE

answered Aug 31, 2018 in AWS by Archana
• 4,150 points
243 views
0 votes
1 answer

Import my AWS credentials using python script

Using AWS Cli  Configure your IAM user then ...READ MORE

answered Nov 16, 2018 in AWS by Jino
• 5,770 points
1,290 views
0 votes
1 answer

AWS S3 uploading hidden files by default

versioning is enabled in your bucket. docs.aws.amazon.com/AmazonS3/latest/user-guide/….... the ...READ MORE

answered Oct 4, 2018 in AWS by Priyaj
• 57,700 points
1,304 views
0 votes
1 answer

How to decrypt the encrypted S3 file using aws-encryption-cli --decrypt

Use command : aws s3 presign s3://mybucket/abc_count.png you get ...READ MORE

answered Oct 22, 2018 in AWS by Priyaj
• 57,700 points
2,167 views
0 votes
2 answers
0 votes
1 answer

How can I call Amazon's AWS kms decrypt function without using a binary file?

Not sure if you've already found this, ...READ MORE

answered Aug 30, 2018 in AWS by Priyaj
• 57,700 points
4,455 views
0 votes
1 answer

How can I get current date in a CloudFormation script?

There was a similar question asked on ...READ MORE

answered Aug 29, 2018 in AWS by Priyaj
• 57,700 points
3,439 views