Revoke access for deleted users - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Revoke access for deleted users

To immediately revoke access to make authorized API calls when an IAM Identity Center user is either disabled or deleted, you can:

  1. Add or update the inline policy of the permission set(s) assigned to the user by adding an explicit Deny effect for all actions on all resources.

  2. Specify the aws:userid or identitystore:userid condition key.

Alternatively, you can use a Service Control Policy to revoke the user's access across all member accounts in your organization.

Example SCPs to revoke access
{
    "Version": "2012-10-17",
    "Statement" : [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                 "StringLike": {
                    "aws:UserId": "*:deleteduser@domain.com"
                }
            }
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement" : [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                 "StringEquals": {
                    "identitystore:UserId": "DELETEDUSER_ID"
                }
            }
        }
    ]
}