How can I disable a user s password in AWS using boto3

0 votes

I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."

I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.

For access keys (but not passwords), we have the following:

client = session.client('iam')

... (get user and keyid) ...

last_used = client.get_access_key_last_used(AccessKeyId=keyid)

... (determine the age of the key) ...

if age >= 90:

    client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)

Does anyone have any pointers?

Sep 27, 2018 in AWS by bug_seeker
• 15,520 points

1 answer to this question.

0 votes

delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.

However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.

From Boto3 Documentation:


Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.

answered Sep 27, 2018 by Priyaj
• 58,090 points

Related Questions In AWS

0 votes
1 answer

How to create a VPC in AWS using Boto3?

Hi@akhtar, Amazon Web Services enables you to create ...READ MORE

answered Oct 9, 2020 in AWS by MD
• 95,440 points
0 votes
1 answer

Import my AWS credentials using python script

Using AWS Cli  Configure your IAM user then ...READ MORE

answered Nov 16, 2018 in AWS by Jino
• 5,820 points
0 votes
1 answer

AWS S3 uploading hidden files by default

versioning is enabled in your bucket.….... the ...READ MORE

answered Oct 4, 2018 in AWS by Priyaj
• 58,090 points
–1 vote
1 answer

How to decrypt the encrypted S3 file using aws-encryption-cli --decrypt

Use command : aws s3 presign s3://mybucket/abc_count.png you get ...READ MORE

answered Oct 22, 2018 in AWS by Priyaj
• 58,090 points
0 votes
2 answers
0 votes
1 answer

How can I call Amazon's AWS kms decrypt function without using a binary file?

Not sure if you've already found this, ...READ MORE

answered Aug 30, 2018 in AWS by Priyaj
• 58,090 points
0 votes
1 answer

How can I get current date in a CloudFormation script?

There was a similar question asked on ...READ MORE

answered Aug 29, 2018 in AWS by Priyaj
• 58,090 points
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP