How can I disable a user's password in AWS using boto3

0 votes

I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."

I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.

For access keys (but not passwords), we have the following:

client = session.client('iam')

... (get user and keyid) ...

last_used = client.get_access_key_last_used(AccessKeyId=keyid)

... (determine the age of the key) ...

if age >= 90:

    client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)

Does anyone have any pointers?

Sep 27, 2018 in AWS by bug_seeker
• 14,970 points
230 views

1 answer to this question.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
0 votes

delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.

However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.

From Boto3 Documentation:

Warning

Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.

answered Sep 27, 2018 by Priyaj
• 56,120 points

Related Questions In AWS

0 votes
1 answer

How do I disable detailed monitoring for instances in an auto scaling group in a CloudFormation template?

The property you want is InstanceMonitoring, not ...READ MORE

answered Aug 31, 2018 in AWS by Archana
• 3,770 points
20 views
0 votes
1 answer

How to download the latest file in a S3 bucket using AWS CLI?

You can use the below command $ aws ...READ MORE

answered Sep 6, 2018 in AWS by Archana
• 3,770 points
1,580 views
0 votes
1 answer

Import my AWS credentials using python script

Using AWS Cli  Configure your IAM user then ...READ MORE

answered Nov 16, 2018 in AWS by Jino
• 5,520 points
104 views
0 votes
1 answer

AWS S3 uploading hidden files by default

versioning is enabled in your bucket. docs.aws.amazon.com/AmazonS3/latest/user-guide/….... the ...READ MORE

answered Oct 4, 2018 in AWS by Priyaj
• 56,120 points
86 views
0 votes
1 answer

How to decrypt the encrypted S3 file using aws-encryption-cli --decrypt

Use command : aws s3 presign s3://mybucket/abc_count.png you get ...READ MORE

answered Oct 22, 2018 in AWS by Priyaj
• 56,120 points
188 views
0 votes
2 answers
0 votes
1 answer

How can I call Amazon's AWS kms decrypt function without using a binary file?

Not sure if you've already found this, ...READ MORE

answered Aug 30, 2018 in AWS by Priyaj
• 56,120 points
657 views
0 votes
1 answer

How can I get current date in a CloudFormation script?

The advice by @Guy is correct, you ...READ MORE

answered Aug 29, 2018 in AWS by Priyaj
• 56,120 points
526 views

© 2018 Brain4ce Education Solutions Pvt. Ltd. All rights Reserved.
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.