Guide on How to Delete AWS User Using Python and Boto3
Nothing fancy … just some DevOps with Sec.
Maintaining the security posture of your organization is paramount in today’s digital landscape. Among the many aspects that contribute to a robust security strategy, provisioning and de-provisioning user accounts play a crucial role.
Improper de-provisioning was responsible for 62% of all cybersecurity incidents, according to the 2020 Cost of a Data Breach Report by IBM Security. To safeguard your organization and its sensitive data, it’s essential to have a well-defined process for user account management.
The Challenge of User De-Provisioning
Regarding user account de-provisioning, AWS offers a wealth of services and resources that need to be managed appropriately. With the average cost of a data breach being a staggering $3.86 million globally, overlooking any aspect of the de-provisioning process can have serious consequences.
The Magic Behind the ‘Delete User’ Button
Have you ever wondered what happens when you click the “Delete User” button in the AWS Management Console? Behind the scenes, AWS takes care of a multitude of tasks associated with the user account, including:
Deleting the user’s password (using
DeleteLoginProfile)Revoking access keys (using
DeleteAccessKey)Removing signing certificates (using
DeleteSigningCertificate)Disposing of SSH public keys (using
DeleteSSHPublicKey)Managing Git credentials (using
DeleteServiceSpecificCredential)Handling Apache Cassandra credentials (using
DeleteServiceSpecificCredential)Deactivating Multi-factor authentication (MFA) devices (using
DeactivateMFADeviceandDeleteVirtualMFADevice)Removing inline policies (using
DeleteUserPolicy)Detaching attached managed policies (using
DetachUserPolicy)Removing the user from group memberships (using
RemoveUserFromGroup)
Getting Started
Before we dive into the code, ensure that you have Python and the Boto3 library installed on your system. If you need guidance on installing Python and Boto3, Refer to these links to build some base:
— https://www.py4e.com/ [ Amazing instructor … Zero to Hero ]
— Nothing is better than the documentation! [https://boto3.amazonaws.com/v1/documentation/api/latest/index.html]
KINDDIN’!!
Here is a great video for you —
[https://www.youtube.com/watch?v=iLv1vJd4URg]
Now, let’s move on to the code implementation.
( If you want to use this code, please refer to the repo in my GitHub )
Prerequisites
- Import Boto3 and sys: In your Python script, begin by importing the necessary libraries. Boto3 is the AWS SDK for Python, while sys will help us exit gracefully if needed
import boto3
import sys
2. Establish an IAM Client Connection: Before you can perform any actions on AWS IAM (Identity and Access Management), you need to establish a connection. Use the boto3.client() function to create an IAM client instance.
# Replace 'your_access_key' and 'your_secret_key' with your AWS credentials
iam_client = boto3.client(
'iam',
aws_access_key_id='your_access_key',
aws_secret_access_key='your_secret_key'
)
3. De-provisioning Steps: Now, let’s create functions that will handle each step of the de-provisioning process for an AWS user.
- Delete IAM Login Profile
def delete_iam_login_profile(username):
try:
login_profile = iam_client.get_login_profile(UserName=username)
print("User profile Present!")
login_profile['LoginProfile']['PasswordResetRequired']
iam_client.delete_login_profile(UserName=username)
print("User profile deleted!")
except iam_client.exceptions.NoSuchEntityException:
print("No Login Profile Present")
- IAM Signing Certificate
def delete_iam_signing_certificate(username):
sign_certs = iam_client.list_signing_certificates(UserName=username)
if len(sign_certs['Certificates']) != 0:
print(f"Number of Certs: {len(sign_certs['Certificates'])}")
for cert in sign_certs['Certificates']:
certID = cert['CertificateId']
iam_client.delete_signing_certificate(
UserName=username, CertificateId=certID)
print("Certs deleted!")
else:
print("No Certs present")
- Delete IAM SSH keys
def delete_iam_ssh_keys(username):
ssh_list = iam_client.list_ssh_public_keys(UserName=username)
if len(ssh_list['SSHPublicKeys']) != 0:
print(f"Number of SSH Keys: {len(ssh_list['SSHPublicKeys'])}")
for key in ssh_list['SSHPublicKeys']:
iam_client.delete_ssh_public_key(
UserName=username, SSHPublicKeyId=key['SSHPublicKeyId'])
print(key['SSHPublicKeyId'])
print("SSH keys deleted!")
else:
print("No SSH keys present")
- Delete IAM Git Keys
def delete_iam_git_keys(username):
git_creds = iam_client.list_service_specific_credentials(
UserName=username, ServiceName='codecommit.amazonaws.com')
if len(git_creds['ServiceSpecificCredentials']) != 0:
print(
f"Number of git Creds: {len(git_creds['ServiceSpecificCredentials'])}")
for key in git_creds['ServiceSpecificCredentials']:
iam_client.delete_service_specific_credential(
UserName=username,
ServiceSpecificCredentialId=key['ServiceSpecificCredentialId']
)
print("Git Creds deleted!")
else:
print("No Git Creds present")
- Delete IAM Apache Casandra Keyspace
def delete_iam_apache_cassandra_keyspace(username):
apache_cred = iam_client.list_service_specific_credentials(
UserName=username, ServiceName='cassandra.amazonaws.com')
if len(apache_cred['ServiceSpecificCredentials']) != 0:
print(
f"Number of git Creds: {len(apache_cred['ServiceSpecificCredentials'])}")
for key in apache_cred['ServiceSpecificCredentials']:
iam_client.delete_service_specific_credential(
UserName=username,
ServiceSpecificCredentialId=key['ServiceSpecificCredentialId']
)
print("Cassandra Creds deleted!")
else:
print("No Cassandra Creds present")
- Delete IAM MFA Device
def delete_iam_mfa_devices(username):
mfa_devices = iam_client.list_mfa_devices(UserName=username)
if len(mfa_devices['MFADevices']) != 0:
print(f"Number of MFA Devices: {len(mfa_devices['MFADevices'])}")
for mfa_device in mfa_devices['MFADevices']:
iam_client.deactivate_mfa_device(
UserName=username, SerialNumber=mfa_device['SerialNumber'])
print("MFA Devices deleted!")
else:
print('No MFA devices present')
- Delete IAM User Policy
def delete_iam_user_policies(username):
inline_policies = iam_client.list_user_policies(UserName=username)
if len(inline_policies['PolicyNames']) != 0:
print(
f"Number of inline policies: {len(inline_policies['PolicyNames'])}")
for policy_name in inline_policies['PolicyNames']:
iam_client.delete_user_policy(
UserName=username, PolicyName=policy_name)
print("Inline Policies Deleted!")
else:
print("No Inline Policies present")
- Delete IAM User Attached Policies
def delete_iam_user_attatched_policies(username):
attached_policies = iam_client.list_attached_user_policies(
UserName=username)
if len(attached_policies['AttachedPolicies']) != 0:
print(
f"Number of inline policies: {len(attached_policies['AttachedPolicies'])}")
for policy_name in attached_policies['AttachedPolicies']:
iam_client.detach_user_policy(
UserName=username, PolicyArn=policy_name['PolicyArn'])
print("User Attached Policies detached!")
else:
print("No Attached user Policies present")
- Delete IAM User Group
def delete_iam_user_group(username):
group_membership = iam_client.list_groups_for_user(UserName=username)
if len(group_membership['Groups']) != 0:
print(
f"Number of Group memberships: {len(group_membership['Groups'])}")
for group in group_membership['Groups']:
iam_client.remove_user_from_group(
GroupName=group['GroupName'], UserName=username)
print("User detached from Group Membership!")
else:
print("No Group attached to the user")
- Delete IAM User Access Keys
def delete_iam_user_access_keys(username):
res_keys = iam_client.list_access_keys(UserName=username)
if len(res_keys['AccessKeyMetadata']) != 0:
print(f"Number of Access Keys: {len(res_keys['AccessKeyMetadata'])}")
accessKeyLength = len(res_keys['AccessKeyMetadata'])
for i in range(accessKeyLength):
ActiveAccessKey = res_keys['AccessKeyMetadata'][i]['AccessKeyId']
iam_client.delete_access_key(
AccessKeyId=ActiveAccessKey, UserName=username)
print("User Access Keys Deleted!")
else:
print("No Access Keys present")
- Finally — Delete IAM User
def delete_iam_user(username):
try:
delete_user = iam_client.delete_user(UserName=username)
if delete_user['ResponseMetadata']['HTTPStatusCode'] == 200:
print("User Deleted!")
except:
print("No such user/entity found")
sys.exit()
3. Here comes the Drive Code: It will manage and operate the entire thing
# #############################################################################
# #################### Function that sums-up all above ########################
# #############################################################################
def delete_user_account(username):
# ###################### 1. Delete login profile of user if it exists #########
delete_iam_login_profile(username)
# ###################### 2. Delete signing certificate ########################
delete_iam_signing_certificate(username)
# # #################### 3. Delete SSH Keys ###################################
delete_iam_ssh_keys(username)
# # #################### 4. Delete Git Keys ###################################
delete_iam_git_keys(username)
# # #################### 5. Delete Apache Cassandra Keyspace ##################
delete_iam_apache_cassandra_keyspace(username)
# # #################### 6. Delete MFA devices ################################
delete_iam_mfa_devices(username)
# # #################### 7. Delete user Inline Policy from user ###############
delete_iam_user_policies(username)
# # #################### 8. Detach user attched policy from user ##############
delete_iam_user_attatched_policies(username)
# # #################### 9. Remove user from Group ############################
delete_iam_user_group(username)
# # #################### 10. Delete access keys ###############################
delete_iam_user_access_keys(username)
# # #################### 11. Finally delete the user ##########################
delete_iam_user(username)
# #############################################################################
# ############################## Driver Code ##################################
# #############################################################################
remove_user = ['testDeleteUser']
listOfUsers = []
## paginator if you have large number of users
paginator = iam_client.get_paginator('list_users')
response_iterator = paginator.paginate()
for user in response_iterator:
listOfUsers.extend([user_['UserName'] for user_ in user['Users']])
for user in remove_user:
if user in listOfUsers:
print(f"-------- For user: {user} --------")
delete_user_account(user)
else:
print(f"******** User Doesn't exist: {user} ********")
Conclusion
Managing user accounts is pivotal for cybersecurity. De-provisioning AWS users using Python and Boto3 enhances security. This guide covered comprehensive steps, ensuring passwords, access keys, and more are properly managed. As AWS evolves, staying updated is key. By implementing these techniques, you’re safeguarding your organization’s assets.
Thank you for joining us on this journey of secure user management. Empower your AWS operations using Python and Boto3, fortifying your organization’s security practices.
It's me …
The Modern Witcher
See you around!