Question:
I am auditing user passwords in AWS using boto3 and I’m not finding a way to accomplish the following CIS Benchmark: “Ensure credentials (with password enabled) unused for 90 days or greater are disabled.”
I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.
For access keys (but not passwords), we have the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
client = session.client('iam') ... (get user and keyid) ... last_used = client.get_access_key_last_used(AccessKeyId=keyid) ... (determine the age of the key) ... if age >= 90: client.update_access_key(AccessKeyId=keyid, Status='Inactive', UserName=user) |
Does anyone have any pointers?
Answer:
Thanks to the responders, delete_login_profile followed by a password reset using create_login_profile is exactly what I needed. I saw it in the docs, but “delete” just sounded too scary.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
def getPassword(client, user): ''' get the password data from aws ''' try: response = client.get_login_profile(UserName=user) return response except client.exceptions.NoSuchEntityException as e: print(e) return '' # setup the client handler client = session.client('iam') # set the user user = 'some.user' # if the user has a password, execute this code block if getPassword(client=client, user=user): ... code to test the password age here ... ... if it's too old, then ... # remove the login_profile/password/ability to use the Console client.delete_login_profile(UserName=user) # set the new password passwd = raw_input('Enter New Password: ') # create the new login_profile with the new password and force the user to change the password on the next login client.create_login_profile(UserName=user, Password=passwd, PasswordResetRequired=True) |