These two scripts will disable inactive IAM Users
disable-inactive-keys.py
will Disable any API key which has not been used in the last n days (default is 90)
disable-inactive-login.py
will Disable the LoginProfile (ie Password) of any IAM User who has not logged in in the last n days (default 90)
Best Practice is to not leave inactive users who do not have a business justification with access.
For each user it identifies all active API keys. It then uses get_access_key_last_used() to see the last usage time. If that was more than THRESHOLD days ago, it will disable the Key.
For each user it checks to see if there is a PasswordLastUsed and if a LoginProfile is still attached. If PasswordLastUsed was more than THRESHOLD days ago, it will disable the delete the Login Profile.
usage: disable-inactive-login.py [-h] [--debug] [--error] [--timestamp]
[--profile PROFILE] [--actually-do-it]
[--threshold THRESHOLD]
optional arguments:
-h, --help show this help message and exit
--debug print debugging info
--error print error info only
--timestamp Output log with timestamp and toolname
--profile PROFILE Use this CLI profile (instead of default or env credentials)
--actually-do-it Actually Perform the action
--threshold THRESHOLD
Number of days of inactivity to disable. Default is 90 days
You must specify --actually-do-it
for the changes to be made. Otherwise the script runs in dry-run mode only.