How to disable a user's password in AWS using boto3

Question

I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."

I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.

For access keys (but not passwords), we have the following:

client = session.client('iam')

... (get user and keyid) ...

last_used = client.get_access_key_last_used(AccessKeyId=keyid)

... (determine the age of the key) ...

if age >= 90:

    client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)

Does anyone have any pointers?

Answer 1

delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.

However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.

From Boto3 Documentation:

Warning

Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.

Answer 2

If you want to change the password, you should use update_login_profile boto3 API. If you want to disable the password, you need to use delete_login_profile.

• boto3 documentation for update_login_profile can be found here.
• boto3 documentation for delete_login_profile can be found here.