AWS - IAM - Delete IAMUser
Description
This playbook describes how to execute Tamnoon IAMHelper automation to delete IAM user.
The execution is based on AWS credentials configuration based on the next fallbacks:
- If AWS profile or AWS access key and secret were given, use it as an AWS credentials source.
- If no profile, use as environment variable credentials for AWS.
- If not environmental variables provided, use the current ./~aws configuration.
After authentication via AWS API, the script execution will run on the same AWS account of those credentials defined in fallbacks 1–3 (see above).
Tamnoon’s solution streamlines the process to delete IAM user accounts safely and efficiently, reducing the risk of leaving unused credentials active in your AWS environment.
This IAM automation supports scalable remediation workflows, making it ideal for managing identity and access policies across complex cloud infrastructures. It’s especially useful in compliance-driven organizations that require timely user deactivation following role changes or departures. The modular design allows integration into broader security operations, promoting consistent and auditable IAM governance across multiple AWS accounts and regions.
Severity Level
High – Unused or orphaned IAM users pose significant security risks. Regular cleanup is essential for strong access control and compliance.
When to use?
Use this playbook when offboarding users, deactivating unused IAM accounts, or cleaning up access in AWS environments. It helps maintain least privilege and reduce unnecessary security exposure.
Playbook steps:
- Clone the folder AWS/Automation/IAMHelper
- Execute the automation from the /AWS directoryi.
i. Using CLI parameters:
python3 -m Automations.EC2Actions.IAMHelper --profile <aws_profile> --type IAMUser --action delete --assetIds <list of instances to remediate> --dryRun<optional dry run>
or
python3 -m Automations.EC2Actions.IAMHelper --awsAccessKey <aws_access_key> --awsSecret <aws_secret> --type IAMUser --action delete --assetIds <list of instances to remediate> --dryRun<optional dry run>
or
python3 -m Automations.EC2Actions.IAMHelper --awsAccessKey <aws_access_key> --awsSecret <aws_secret> --awsSessionToken <specific session token> --type IAMUser --action delete --assetIds <list of instances to remediate> --dryRun<optional dry run>
ii.Using YAML file: a yaml file is a text file with a “yml” or “yaml” extension whose content is in the format:
key1: value1
key2: value2
iii. for example the yaml file should look like:
profile: <aws auth profile to use>
type: IAMUser
action: delete
regions: <The region/s to works on>
actionParams: {"rollBack":<True/False>}
dryRun: <optional dry run>
assetIds: <list of users to remediate>
iv. and the execution line:
python -m Automations.IAMActions.IAMHelper --file <path to yaml file>
Prerequisites
- AWS cretentials defined on the execution machine with permission to change SecurityGroups
- Python v3.6 and above + boto3 package installed ( pip install boto3)
FAQ
What is the safest way to delete an IAM user in AWS?
The playbook checks S3 bucket policies and ACLs for any configuration that allows public access, such as permissions granted to Principal * or ACLs with global access rights like READ or FULL_CONTROL for “AllUsers.”
Can I use this playbook to bulk delete IAM users?
Yes, the playbook accepts a list of user IDs under the assetIds parameter, allowing multiple IAM users to be deleted in a single automated run using CLI or YAML input.
What permissions are required to run the IAMHelper automation script?
You’ll need permissions like s3:GetBucketPolicy, s3:GetBucketAcl, s3:GetBucketPolicyStatus, and access to both bucket-level and account-level public access configurations.
What’s the difference between using CLI parameters and a YAML file in this IAM automation?
The CLI method allows quick, one-time execution with flags, while the YAML method supports structured configurations ideal for repeated or complex executions, enhancing consistency in IAM automation workflows.
Can I roll back a deleted IAM user using this playbook?
While the playbook allows you to set an actionParams value like {“rollBack”: True}, the exact rollback capabilities depend on how your environment is configured and backed up.
