Part 1: Managing IAM Users and their groups; managing user deprovisioning

The journey to writing a user provisioning and deprovisioning process for AWS Labs…in Powershell

ActionPowershell Commands
Create UserNew-Iamuser -username $user
Create Console PasswordNew-IAMLoginProfile -username $user
Change Console PasswordUpdate-IAMLoginProfile -username $user
Add user to GroupAdd-IAMUserToGroup -username $user -groupname $group
Remove User from Group
Remove-IAMUserfromGroup -username $user -groupname $group
Remove the IAM UserRemove-IAMUser -username $user
Get the Account ID and use the following URL for login

Generic Steps

  1. Create the Console users and give the user the option for either users based on pattern or from a given .csv file.
  2. Create the Console user and create a password for that user.
  3. Add the User to a particular group which has the IAM Policies attached to that group.
  4. The script will then either wait a certain amount of time after the Users were created or the admin can manually run the user deletion script. The user will than be removed from the group ( thus removing access ) and the password will be changed. The easiest way to remove access is to delete the user.
  5. Later scripts will somehow delete the resources that were created at the end of the day.

The code thus far to Create the Lab User Account and delete the lab users accounts can be found here:

Leave a Reply