Revoke active IAM role sessions created by permission sets

The following is a general procedure for revoking an active permission set session for an IAM Identity Center user. The procedure assumes that you want to remove all access for a user who has compromised credentials or for a bad actor who is in the system. The prerequisite is to have followed the guidance in Prepare to revoke an active IAM role session created by a permission set. We assume that the deny all policy is present in a service control policy (SCP).

Note

AWS recommends you build automation to handle all steps except console-only operations.

Obtain the user ID of the person whose access you must revoke. You can use the identity store APIs to find the user by their username.
Update the Deny policy to add the user ID from step 1 in your service control policy (SCP). After completing this step, the target user loses access and is unable to take actions with any roles that the policy affects.
Remove all permission set assignments for the user. If access is assigned through group memberships, remove the user from all groups and all direct permission set assignments. This step prevents the user from assuming any additional IAM roles. If a user has an active AWS access portal session and you disable the user, they can continue to assume new roles until you remove their access.
If you use an identity provider (IdP) or Microsoft Active Directory as an identity source, disable the user in the identity source. Disabling the user prevents the creation of additional AWS access portal sessions. Use your IdP or Microsoft Active Directory API documentation to learn how to automate this step. If you're using the IAM Identity Center directory as an identity source, don't disable user access yet. You'll disable user access in step 6.
In the IAM Identity Center console, find the user and delete their active session.
1. Choose Users.
2. Choose the user whose active session you want to delete.
3. On the user's detail page, choose the Active sessions tab.
4. Select the check boxes next to the sessions you want to delete and choose Delete session.
This ensures the user’s AWS access portal session stops within approximately 60 minutes. Learn about session duration.
In the IAM Identity Center console, disable user access.
1. Choose Users.
2. Choose the user whose access you want to disable.
3. On the user's detail page, expand General information and choose the Disable user access button to prevent further logins of the user.
Leave the Deny policy in place for at least 12 hours. Otherwise, the user with an active IAM role session will have restored actions with the IAM role. If you wait 12 hours, active sessions expire and the user won't be able to access the IAM role again.

Important

If you disable a user’s access before stopping the user session (you completed step 6 without completing step 5), you can no longer stop the user session through the IAM Identity Center console. If you inadvertently disable user access before stopping the user session, you can re-enable the user, stop their session, and then disable the their access again.

You can now change the user's credentials if their password was compromised and restore their assignments.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Remove user and group access to an AWS account

Delegate who can assign single sign-on access