Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Removal of user and permission sets

0

I want to automate the deletion of user and related permission sets I connected entra id as external identity provider. when a user is removed from entra id i can that user disabled in aws identity center. i want to remove his disabled listing in identity center and want to delete permission set related to him from identity center. what is the trigger ican use for this like CreateUser for new user.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
asked a year ago396 views
2 Answers
1
Accepted Answer

If you havent, make sure you have SCIM configured in Identity centre and EntraID:-

When a user is deleted in Microsoft Entra ID, the SCIM (System for Cross-domain Identity Management) provisioning service will typically send a DELETE request to the target application's SCIM endpoint to remove the user. Entra ID first soft deletes the user, moving them to a recycle bin state, and after 30 days, the user is permanently deleted, triggering the SCIM DELETE request.

Soft Delete in Entra ID: When a user is deleted in Entra ID, they are initially moved to a "soft-deleted" state, meaning they are still present in the system but not active.

30-Day Grace Period: After a user is soft-deleted, they remain in this state for 30 day

Permanent Deletion and SCIM: After the 30-day period, the user is permanently deleted from Entra ID. This action triggers the SCIM provisioning service to send a DELETE request to the application's SCIM endpoint, instructing the application to remove the user.

EXPERT
answered a year ago
0

When a user is removed from Entra ID and appears as disabled in AWS IAM Identity Center, you can automate the removal of both the disabled user and their associated permission sets.

To remove a disabled user from IAM Identity Center and delete their permission sets, you'll need to:

  1. First, remove the permission sets assigned to the user:
  • Navigate to the IAM Identity Center console
  • Select "Users"
  • Select the disabled user
  • Go to the "AWS accounts" tab
  • Select the AWS account
  • Select the permission set you want to remove and choose "Remove"
  • Confirm the removal when prompted
  1. To delete the permission set itself (if it's no longer needed by any user):
  • Ensure the permission set is removed from all AWS accounts first
  • Go to "Multi-account permissions" and select "Permission sets"
  • Select the permission set and choose "Delete"
  • Confirm by typing the name of the permission set

For automation, there isn't a direct trigger like "CreateUser" for user deletion. However, you could:

  1. Use AWS CloudTrail to monitor for identity provider events related to user status changes
  2. Set up an AWS Lambda function that periodically checks for disabled users in IAM Identity Center
  3. Have the Lambda function programmatically remove permission sets from disabled users and then delete the users

To immediately revoke access for deleted users, you can also:

  • Add an explicit "Deny" effect in the permission set's inline policy for all actions on all resources
  • Use the aws:userid or identitystore:userid condition key to target specific users
  • Implement Service Control Policies to revoke access across all member accounts in your organization

This approach ensures that even if there's a delay in your automation process, the disabled users won't have active access to AWS resources.
Sources
Remove permission sets in IAM Identity Center - AWS IAM Identity Center
Revoke access for deleted users - AWS IAM Identity Center
Delete permission sets in IAM Identity Center - AWS IAM Identity Center

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content