Quick Fix: Deactivate IAM User Password and Remove AWS Console Access

Outcome

The IAM user will no longer be able to sign in to the AWS Management Console using a password. This prevents console access for stale or unnecessary human user accounts while preserving the user's other credentials (access keys, MFA devices, etc.).

For example, after applying this fix:

• An IAM user former-contractor whose password hasn't been used in 90 days will be unable to sign in to the console
• An IAM user ci-runner that should only use API access keys will no longer have an unnecessary console password

Fix

Delete the user's login profile to remove their console password. Deleting the login profile via the CLI is equivalent to choosing "Remove console access" for a user in the AWS console. The user can be granted a new password later with create-login-profile if needed.

Step 1: Set the target user

USER_NAME="the-user-to-restrict"

Step 2: Delete the login profile

aws iam delete-login-profile --user-name "${USER_NAME}"

Verify the fix

Confirm the login profile has been deleted:

aws iam get-login-profile --user-name "${USER_NAME}" 2>&1

This should return a NoSuchEntity error, confirming the password has been removed.

References

• AWS: Remove or deactivate an IAM user
• AWS: Manage passwords for IAM users

Gotcha

Deleting the login profile only removes the console password -- it does not disable the user's access keys. If the user also has active access keys, they can still make API calls. To fully block API access, deactivate their access keys separately (see Deactivate IAM user API access key).

---

Last update: February 5, 2026