Menu
AWS Identity and Access Management
User Guide

Managing IAM Users

Amazon Web Services offers multiple tools for managing the IAM users in your AWS account.

Listing IAM Users

You can list the IAM users in your AWS account or in a specific IAM group, and list all the groups that a user is in. For information about the permissions that you need in order to list users, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

To list all the users in the account

To list the users in a specific group

To list all the groups that a user is in

Renaming an IAM User

To change a user's name or path, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API. There is no option in the console to rename a user. For information about the permissions that you need in order to rename a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

When you change a user's name or path, the following happens:

  • Any policies attached to the user stay with the user under the new name.

  • The user stays in the same groups under the new name.

  • The unique ID for the user remains the same. For more information about unique IDs, see Unique IDs.

  • Any resource or role policies that refer to the user as a principal (the user is being granted access) are automatically updated to use the new name or path. For example, any queue-based policies in Amazon SQS or resource-based policies in Amazon S3 are automatically updated to use the new name and path.

IAM does not automatically update policies that refer to the user as a resource to use the new name or path; you must manually do that. For example, imagine that user Bob has a policy attached to him that lets him manage his security credentials. If an administrator renames Bob to Robert, the administrator also needs to update that policy to change the resource from this:

arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/Bob

to this:

arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/Robert

This is true also if an administrator changes the path; the administrator needs to update the policy to reflect the new path for the user.

To rename a user

Deleting an IAM User

You might delete an IAM user from your account if someone quits your company. If the user is only temporarily away from your company, you can disable the user's credentials instead of deleting the user entirely from the AWS account. That way, you can prevent the user from accessing the AWS account's resources during the absence but you can re-enable the user later.

For more information about disabling credentials, see Managing Access Keys for IAM Users. For information about the permissions that you need in order to delete a user, see Delegating Permissions to Administer IAM Users, Groups, and Credentials.

Deleting an IAM User (AWS Management Console)

When you use the AWS Management Console to delete an IAM user, IAM automatically deletes the following information for you:

  • The user

  • Any group memberships—that is, the user is removed from any IAM groups that the user was a member of

  • Any password associated with the user

  • Any access keys belonging to the user

  • All inline policies embedded in the user (policies that are applied to a user via group permissions are not affected)

    Note

    Any managed policies attached to the user are detached from the user when the user is deleted. Managed policies are not deleted when you delete a user.

  • Any associated MFA device

To use the AWS Management Console to delete an IAM user

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users, and then select the check box next to the user name that you want to delete, not the name or row itself.

  3. At the top of the page, choose Delete user.

  4. In the confirmation dialog box, wait for the service last accessed data to load before you review the data. The dialog box shows when each of the selected users last accessed an AWS service. If you attempt to delete a user that has been active within the last 30 days, you must select an additional check box to confirm that you want to delete the active user. If you want to proceed, choose Yes, Delete.

Deleting an IAM User (AWS CLI and Tools for Windows PowerShell)

Unlike the AWS Management Console, when you delete a user with the AWS CLI or Tools for Windows PowerShell you have to delete the items attached to the user manually. This procedure illustrates the process. For a complete PowerShell code snippet, see the example in Remove-IAMUser.

To use the AWS CLI to delete a user from your account

  1. Delete the user's keys and certificates. This helps ensure that the user can't access your AWS account's resources anymore. Note that when you delete a security credential, it's gone forever and can't be retrieved.

    aws iam delete-access-key and aws iam delete-signing-certificate

  2. Delete the user's password, if the user has one.

    aws iam delete-login-profile

  3. Deactivate the user's MFA device, if the user has one.

    aws iam deactivate-mfa-device

  4. Detach any policies that are attached to the user.

    aws iam list-attached-user-policies (to list the policies attached to the user) and aws iam detach-user-policy (to detach the policies)

  5. Get a list of any groups the user was in, and remove the user from those groups.

    aws iam list-groups-for-user and aws iam remove-user-from-group

  6. Delete the user.

    aws iam delete-user

To use the Tools for Windows PowerShell to delete a user from your account

  1. Delete the user's keys and certificates. This helps ensure that the user can't access your AWS account's resources anymore. Note that when you delete a security credential, it's gone forever and can't be retrieved.

    Remove-IAMAccessKey and Remove-IAMSigningCertificate

  2. Delete the user's password, if the user has one.

    Remove-IAMLoginProfile

  3. Deactivate the user's MFA device, if the user has one.

    Disable-IAMMFADevice

  4. Detach any policies that are attached to the user.

    Get-IAMAttachedUserPolicies (to list the policies attached to the user) and Remove-IAMUserPolicy (to detach the policies).

  5. Get a list of any groups the user was in, and remove the user from those groups.

    Get-IAMGroupForUser and Remove-IAMUserFromGroup.

  6. Delete the user.

    Remove-IAMUser