How to revoke an IAM user immediately

Summary

You will revoke an IAM user’s access immediately by deleting all access keys, removing console sign-in, and optionally removing MFA and deleting the user. Use this when an operator leaves or when you suspect compromise; for SSO, see revoking federated access.

Prerequisites

• You have IAM permissions to manage the user: iam:DeleteAccessKey, iam:DeleteLoginProfile, iam:DeleteUser, iam:DetachUserPolicy, iam:RemoveUserFromGroup, and similar.
• You know the IAM user name to revoke.

Steps

Step 1: Delete all access keys

USER=username-to-revoke
for key in $(aws iam list-access-keys --user-name "$USER" --query 'AccessKeyMetadata[].AccessKeyId' --output text); do
  aws iam delete-access-key --user-name "$USER" --access-key-id "$key"
done

Console: IAM → Users → select user → Security credentials → Access keys → Delete each key. Programmatic access is revoked as soon as the keys are deleted.

Step 2: Block console sign-in

aws iam delete-login-profile --user-name "$USER"

If the user has a console password, this removes it so they cannot sign in to the console. If you prefer to keep the user but block all actions, attach an explicit Deny policy that overrides other permissions (use sparingly and document).

Step 3: Remove MFA and optional cleanup

• MFA: In the console, IAM → Users → user → Security credentials → MFA → Deactivate. There is no direct “delete MFA” API; removing the login profile and keys effectively revokes access. For full cleanup, deactivate the MFA device in the console.
• Policies and groups: To prepare for user deletion, detach all managed policies and remove the user from all groups:

for policy in $(aws iam list-attached-user-policies --user-name "$USER" --query 'AttachedPolicies[].PolicyArn' --output text); do
  aws iam detach-user-policy --user-name "$USER" --policy-arn "$policy"
done
for group in $(aws iam list-groups-for-user --user-name "$USER" --query 'Groups[].GroupName' --output text); do
  aws iam remove-user-from-group --user-name "$USER" --group-name "$group"
done

Step 4: Delete the user (optional)

aws iam delete-user --user-name "$USER"

Only run this after access keys and login profile are removed and you have confirmed no resources (e.g. S3 bucket owner, resource tags, or other references) require the user ARN. If deletion fails, fix the dependency (e.g. transfer bucket ownership) and retry.

Verification

• aws iam list-access-keys --user-name "$USER" returns no keys (or “NoSuchEntity” if user was deleted).
• User cannot sign in to the console (login profile deleted or user deleted).
• CloudTrail shows the revoke and delete actions for audit.

Troubleshooting

Cannot delete access key — Ensure you are using the correct user name and key ID; you need iam:DeleteAccessKey. If the key is already deleted, the error may be from a stale reference.

Delete user fails: entity in use — Something references the user (e.g. inline policy, group membership, or resource). List attached policies and groups, remove them, then check for bucket ownership or other resource references before deleting again.

Need to preserve audit trail — Revoke access (keys and login profile) but keep the user and leave an explicit Deny policy attached with a note; delete the user after your retention period if policy allows.

Next steps

• How to audit IAM user permissions.
• How to revoke federated access immediately.
• How to find leaked or compromised AWS credentials.