Any IAM user that has access to AWS Management console has a login-profile. You can disable a user from logging into the AWS Management Console by deleting the login profile of that user.
aws iam delete-login-profile --user-name username
On the other hand you can provide AWS Management Console access to a user that does not have it by creating the login profile for the user as below – where username is the name of the user and userpassword is the password. If you specify –password-reset-required, the user will be prompted to change their password at the first login.
aws iam create-login-profile --username username --password userpassword --password-reset-required
