IAM Users that have not been used for a long period of time or never used since creation are a security menace and must be periodically reviewed and removed from AWS account. The principle of least access and least privilege must be followed at all times.
Having users that have not been used for a long time creates an attack surface that could be abused by attackers. It is a security best practice to create and have only the users (with strictly mapped privileges) that are required for the function of the AWS account.
In this article we will take a look at how to remove an IAM User using AWS CLI.
Following are the steps to remove an IAM User using AWS CLI:
Select the IAM User that you want to delete. To get the list of all IAM Users, run the following command
aws iam list-users
If the IAM User to be deleted is part of any group(s), remove the user from those groups before deleting the user. List the group(s) that the user is part of by running the following command
aws iam list-groups-for-user --user-name <User_name>
To remove the user from a group, run the following command. Run this command again until the user has been removed from all the groups that it was added to
aws iam remove-user-from-group --user-name <User_name> --group-name <Group_name>
Run the following command to delete the selected IAM User
aws iam delete-user --user-name <IAM_username>