Skip to main content

IAM User Console Access Unused

Overview

This check identifies IAM users who have console access (password login) but have not used it within a configured inactivity period (default: 45 days). Having unused console credentials is a security risk because they provide an unnecessary attack surface.

Risk

Unused console credentials create opportunities for attackers:

  • Password attacks: Dormant accounts are targets for password spraying and credential stuffing
  • Breach reuse: If credentials are leaked elsewhere, attackers can try them on your AWS console
  • Unauthorized access: Compromised inactive credentials give attackers full console access to browse, modify, or exfiltrate data

The longer credentials sit unused, the higher the risk they have been forgotten about and left with overly broad permissions.

Remediation Steps

Prerequisites

You need IAM permissions to manage user credentials. Specifically, you need iam:DeleteLoginProfile permission for the affected user(s).

Required IAM permissions

To remediate this finding, your IAM identity needs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetLoginProfile",
        "iam:DeleteLoginProfile",
        "iam:ListUsers"
      ],
      "Resource": "*"
    }
  ]
}

For least privilege, replace the Resource: "*" with the specific user ARN(s) you need to manage.

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to IAM (search for "IAM" in the top search bar)
  3. In the left sidebar, click Users
  4. Find and click on the user flagged by this check
  5. Select the Security credentials tab
  6. In the Console sign-in section, click Manage console access
  7. Select Disable console access
  8. Click Apply

The user will no longer be able to sign in to the AWS Console with a password. If they need console access in the future, you can re-enable it.

AWS CLI (optional)

To disable console access (delete the login profile) for a specific user:

aws iam delete-login-profile \
  --user-name <USER_NAME> \
  --region us-east-1

Replace <USER_NAME> with the actual IAM username.

Example:

aws iam delete-login-profile \
  --user-name john.doe \
  --region us-east-1

Note: This command will fail with NoSuchEntity if the user does not have a login profile (console access is already disabled).

To check if a user has console access before attempting to remove it:

aws iam get-login-profile \
  --user-name <USER_NAME> \
  --region us-east-1
CloudFormation (optional)

When creating IAM users via CloudFormation, simply omit the LoginProfile property to ensure console access is not enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: IAM User without console access (no login profile)

Parameters:
  UserName:
    Type: String
    Description: Name of the IAM user to create
    MinLength: 1
    MaxLength: 64

Resources:
  IAMUserNoConsole:
    Type: AWS::IAM::User
    Properties:
      UserName: !Ref UserName
      # Note: No LoginProfile property means no console access
      Tags:
        - Key: Purpose
          Value: ProgrammaticAccessOnly

Outputs:
  UserArn:
    Description: ARN of the created IAM user
    Value: !GetAtt IAMUserNoConsole.Arn

To disable console access for an existing CloudFormation-managed user:

  1. Remove the LoginProfile property from your template
  2. Update the stack

Important: CloudFormation cannot directly remove a login profile that was created outside of CloudFormation. In that case, use the Console or CLI method.

Terraform (optional)

To create an IAM user without console access, do not include an aws_iam_user_login_profile resource:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "user_name" {
  description = "Name of the IAM user"
  type        = string
}

# IAM User without console access
resource "aws_iam_user" "user" {
  name = var.user_name

  tags = {
    Purpose = "ProgrammaticAccessOnly"
  }
}

# IMPORTANT: To disable console access, do NOT include an
# aws_iam_user_login_profile resource. If you have an existing
# login profile, remove it from your Terraform configuration
# and run terraform apply.

To disable console access for an existing Terraform-managed user:

  1. Remove the aws_iam_user_login_profile resource from your configuration
  2. Run terraform apply

Terraform will delete the login profile, disabling console access.

Verification

After remediation, confirm that console access has been disabled:

  1. Go to IAM > Users in the AWS Console
  2. Click on the remediated user
  3. Check the Security credentials tab
  4. Under Console sign-in, it should show "Console access: Disabled" or similar
CLI verification

Run the following command to verify the login profile has been removed:

aws iam get-login-profile \
  --user-name <USER_NAME> \
  --region us-east-1

If console access is disabled, you will see an error:

An error occurred (NoSuchEntity) when calling the GetLoginProfile operation:
Login Profile for User <USER_NAME> cannot be found.

This error confirms that the user no longer has console access.

Additional Resources

Notes

  • This only disables console access. If the user has access keys for programmatic access, those remain active. Consider auditing access keys separately.
  • MFA requirement: If the user needs console access in the future, enable MFA as an additional security measure.
  • Federation alternative: For organizations with many users, consider AWS IAM Identity Center (SSO) or federation instead of individual IAM user passwords.
  • Regular reviews: Set up a periodic access review process to catch unused credentials before they become a security risk.