Remove AWS security credentials for outgoing employees
Personnel changes are inevitable at an enterprise, and security teams need to revoke AWS credentials accordingly to ensure the integrity of their cloud data.
When employees leave a company, they often do so with knowledge of the organization's sensitive data. While you can't erase that information from a person's mind, you should immediately delete the employee's AWS security credentials to all systems to safeguard your organization's data.
First, remove the employee's AWS Identity and Access Management (IAM) user credentials so that all resources are inaccessible. When you delete an IAM user in the AWS Management Console, it also deletes that user's AWS security credentials, including group membership, password and access keys.
In general, it's not a good practice to directly attach policies to individual IAM users. Instead, use security groups to assign the right level of access for users. Create groups for various tasks and job roles, such as administrators and developers, and assign required policies to a group. When you apply a policy at the group level, it cascades to each user in that group. When an employee moves to a different department, move the user to a different group to provide a new set of privileges.
If you enabled federation, also disable single sign-on (SSO) access for an employee who leaves, and delete his or her user ID from your directory. While AWS SSO removes the complexity of user account management and increases worker productivity, you must disable access for an employee who leaves, or face potential consequences. For example, a departing employee could share his or her password with an unauthorized person. With illegal access, this person could then create risk in the environment or increase your cloud bill multifold, depending on the privileges and AWS security credentials the person gains.
As part of the shared responsibility model, it's up to admins to correctly manage AWS access keys to avoid giving users programmatic access to Amazon cloud services. Rather than generate access keys for the root user, generate them only for individual IAM users. Additionally, never grant a user access to another person's access keys. If this happens, the user will have the same level of access to an AWS account as the owner.
Also, if an employee with access to multiple keys were to leave, rotate all the keys. In general, it's best practice to regularly rotate keys, use distinct keys for different applications and delete any unused keys.
