How to revoke federated access immediately
Topic: Accounts access
Summary
Revoke a user's access to AWS when they use IAM Identity Center (SSO) or another federated identity: remove the user from IdP groups or disable the user in the IdP, remove Identity Center assignments, and invalidate existing sessions. Use this when someone leaves or when federated access must be cut off immediately.
Intent: How-to
Quick answer
- In the external IdP (Okta, Azure AD, etc.), disable the user or remove them from groups that are assigned to AWS in IAM Identity Center; the user can no longer sign in to the IdP and thus cannot get new AWS sessions.
- In IAM Identity Center, remove the user or group from assignments to AWS accounts so they no longer have permission sets; if using built-in directory, disable or delete the user in Identity Center.
- Revoke existing SSO sessions so active console or CLI sessions stop working: in Identity Center, sign out the user or use the revoke-session API if available; users must re-authenticate and will be denied if already removed from IdP or assignments.
Prerequisites
Steps
-
Disable or remove user in the IdP
In the external identity provider, disable the user account or remove the user from groups that are mapped to AWS IAM Identity Center assignments; save changes so the user cannot sign in or receive AWS role assignments on next sign-in.
-
Remove user or group from Identity Center assignments
In IAM Identity Center (management account), go to AWS account assignments; remove the user or the group containing the user from the permission set assignments for the relevant accounts so they no longer have access to those accounts/roles.
-
Invalidate active sessions
Have the user sign out from the AWS console (and any CLI sessions); if your IdP supports it, revoke the user's sessions or tokens. Identity Center sessions are short-lived—when they expire, the user cannot get new ones if removed from IdP or assignments.
-
Verify access is revoked
Attempt sign-in as the user (or have them attempt) to confirm they cannot reach the Identity Center portal or are not assigned any AWS accounts; check CloudTrail for the user's principal to ensure no new assume-role after revoke.
Summary
You will revoke federated access immediately by disabling or removing the user in the external IdP (or Identity Center directory), removing their assignments in IAM Identity Center, and invalidating active sessions. Use this when someone leaves the organization or when you must cut off AWS access for a federated user without delay.
Prerequisites
- IAM Identity Center enabled and connected to an external IdP or using the built-in directory (see How to enable AWS IAM Identity Center (SSO) and How to connect AWS to an external identity provider).
- Admin access to the IdP (to disable user or change group membership) and to IAM Identity Center in the management account (to change assignments).
Steps
Step 1: Disable or remove user in the IdP
- External IdP (Okta, Azure AD, etc.): In the IdP admin console, find the user and disable the account (or delete, per your policy). Alternatively, remove the user from all groups that are used for AWS IAM Identity Center assignments. Once disabled or removed from those groups, the user cannot sign in to the IdP (or will not receive AWS assignments on next sign-in).
- Identity Center built-in directory: In IAM Identity Center → Users, select the user and Disable (or Delete). Disabling prevents sign-in; deletion removes the user entirely. Choose based on your retention policy.
Step 2: Remove user or group from Identity Center assignments
- In the management account, open IAM Identity Center → AWS accounts (or Multi-account permissions).
- For each account (or use Assignments view), find assignments that include this user or a group they belong to. Edit or Remove the user (or the group) from the permission set assignment for that account.
- Save. The user will no longer be assigned any AWS account/role through Identity Center. If they still have an active session, it will work until it expires or is revoked (Step 3).
Step 3: Invalidate active sessions
- Console: Instruct the user to sign out of all AWS console tabs (or use Sign out from the Identity Center/console menu if they are still able to sign in). If you disabled them in the IdP, their next token refresh or re-authentication will fail.
- CLI: SSO CLI sessions use short-lived credentials (often 8–12 hours). The user cannot refresh credentials after you remove them from the IdP or assignments; when the current token expires,
awscommands will fail. To force immediate revocation, you cannot revoke a single user’s SSO token from the AWS side in all cases; disabling in the IdP and removing assignments ensures no new sessions. For high-criticality cases, consider reducing SSO session duration in Identity Center settings so existing sessions expire sooner. - IdP session revocation: If your IdP allows revoking all sessions for a user, do that so the user is signed out of the IdP and cannot obtain new AWS sessions until re-enabled.
Step 4: Verify access is revoked
- Have the user (or a test account with the same role) try to sign in to the Identity Center portal. They should be unable to sign in (if disabled in IdP) or should see no AWS account assignments (if only assignments were removed).
- In CloudTrail, filter by the user’s identity (e.g. federated user name or principal ID) for the time after revoke; confirm no new successful AssumeRole or console sign-in events. Existing sessions may still show activity until they expire.
Verification
- User is disabled in the IdP (or removed from AWS-mapped groups) and/or removed from all IAM Identity Center assignments.
- User cannot sign in to the Identity Center portal or receives no AWS accounts; active sessions expire or are signed out and cannot be renewed.
- CloudTrail shows no new successful federated access for that user after the revoke time.
Troubleshooting
User still has console access — They may have an active session. Ensure they are removed from IdP or assignments; have them sign out. Sessions expire per Identity Center session duration; if you need immediate revocation, disable the user in the IdP and revoke IdP sessions if the IdP supports it.
Removed from one account but not another — Assignments are per account and permission set. Review all accounts in Identity Center assignments and remove the user (or their group) from every assignment.
Built-in directory user — If using Identity Center directory (no external IdP), disable or delete the user in Identity Center → Users and remove them from any group assignments. No IdP step is needed.
Next steps
- How to revoke an IAM user immediately (for non-federated IAM users).
- How to enable AWS IAM Identity Center (SSO).
- How to find leaked or compromised AWS credentials.