Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Revoke access for deleted users
To immediately revoke access to make authorized API calls when an IAM Identity Center user is either
disabled or deleted, you can:
-
Add or update the inline policy of the permission set(s)
assigned to the user by adding an explicit Deny
effect for all actions on all
resources.
-
Specify the aws:userid
or identitystore:userid
condition key.
Alternatively, you can use a Service Control
Policy to revoke the user's access across all member accounts in your
organization.
Example SCPs to revoke access
- JSON
-
-
{
"Version": "2012-10-17",
"Statement" : [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:UserId": "*:deleteduser@domain.com
"
}
}
}
]
}
- JSON
-
-
{
"Version": "2012-10-17",
"Statement" : [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"identitystore:UserId": "DELETEDUSER_ID
"
}
}
}
]
}