feat: surface IAM user console access (LoginProfile) status#123
feat: surface IAM user console access (LoginProfile) status#123c1-dev-bot[bot] wants to merge 1 commit into
Conversation
Add GetLoginProfile check during IAM user sync to expose whether each user has AWS Management Console access enabled. This allows users to distinguish between IAM users with active console passwords and those without, enabling dormant-account identification and least-privilege review. New profile fields on IAM user resources: - console_access_enabled (bool): true if a LoginProfile exists - password_reset_required (bool): true if user must reset password - login_profile_created_at (RFC3339 timestamp): when console password was created Requires iam:GetLoginProfile permission (added to resource type). Fixes: CXH-1574
Connector PR Review: feat: surface IAM user console access (LoginProfile) statusBlocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0 Review SummaryThis PR adds a Security IssuesNone found. Correctness IssuesNone found. SuggestionsNone. |
Summary
GetLoginProfilecheck during IAM user sync to expose whether each user has AWS Management Console access enabledconsole_access_enabled(bool),password_reset_required(bool),login_profile_created_at(RFC3339 timestamp)iam:GetLoginProfileto the required IAM permissions for theiam_userresource typeApproach
Uses the per-user
GetLoginProfileAPI call rather than the bulkGenerateCredentialReport/GetCredentialReportapproach. This fits the existing code pattern wheregetLastLoginalready makes per-user API calls (ListAccessKeys+GetAccessKeyLastUsed). TheGetLoginProfileapproach is real-time and authoritative — success means console access is enabled,NoSuchEntity(404) means it's disabled.If throttle risk at scale becomes an issue, a follow-up could add
GenerateCredentialReportas the bulk primary source, but for v1 this approach is simpler and consistent with the connector's existing design.Test plan
console_access_enabled: trueappears for users with a LoginProfileconsole_access_enabled: falseappears for users without a LoginProfilepassword_reset_requiredandlogin_profile_created_atare populated when console access is enablediam:GetLoginProfilepermission (graceful degradation — logs debug warning, reports false)Fixes: CXH-1574
Automated PR Notice
This PR was automatically created by c1-dev-bot as a potential implementation.
This code requires: