How to disable a user’s password in AWS using boto3


I am auditing user passwords in AWS using boto3 and I’m not finding a way to accomplish the following CIS Benchmark: “Ensure credentials (with password enabled) unused for 90 days or greater are disabled.”

I have the code to pull the password age and to pull the last time the password was used, but I do not find anything to make inactive a password.

For access keys (but not passwords), we have the following:

Does anyone have any pointers?


Thanks to the responders, delete_login_profile followed by a password reset using create_login_profile is exactly what I needed. I saw it in the docs, but “delete” just sounded too scary.

Leave a Reply