Question

I am auditing user passwords in AWS using boto3 and I'm not finding a way to accomplish the following CIS Benchmark: "Ensure credentials (with password enabled) unused for 90 days or greater are disabled."

I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.

For access keys (but not passwords), we have the following:

client = session.client('iam')

... (get user and keyid) ...

last_used = client.get_access_key_last_used(AccessKeyId=keyid)

... (determine the age of the key) ...

if age >= 90:

    client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user)

Does anyone have any pointers?

Answer 1

delete_login_profile is the one you should use if you want to delete the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.

However to prevent all user access (including CLI and API access) you must also either make any access keys inactive or delete them.

From Boto3 Documentation:

Warning

Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.