List AWS IAM users with console passwords which do not have Multi-Factor Authentication (MFA) enabled, categorize them based on MFA Enabled or not and if they are compliant or not based on this rule.

import boto3 import json # Initialize boto3 client for IAM client = boto3.client( 'iam', aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY'), region_name='us-west-2' ) # Get all IAM users users = client.list_users()['Users'] users_with_mfa_status = {} for user in users: username = user['UserName'] # Check if the user has a console password login_profile = None try: login_profile = client.get_login_profile(UserName=username) except client.exceptions.NoSuchEntityException: # User does not have a console password continue # Get MFA devices for the user mfa_devices = client.list_mfa_devices(UserName=username)['MFADevices'] # Determine MFA status mfa_enabled = len(mfa_devices) > 0 compliance_status = 'Compliant' if mfa_enabled else 'Non-Compliant' users_with_mfa_status[username] = { 'MFAEnabled': mfa_enabled, 'ComplianceStatus': compliance_status } # Print the categorized users print(json.dumps(users_with_mfa_status, indent=4, default=str))