1. Purpose
This document establishes procedures to ensure that user accounts with access to cloud platforms are securely and systematically deleted upon role changes, termination, or access revocation requirements. It is part of the broader Access Control Policy to prevent unauthorized access and ensure compliance with information security standards (e.g., SOC 2, NIST 800-53, ISO 27001).
2. Scope
This procedure applies to:
All employees, contractors, vendors, and third parties with provisioned access to the organization’s cloud infrastructure
All cloud environments within the organization’s operational scope
Both direct cloud accounts and federated/SSO-based access via an Identity Provider (IdP)
3. Triggering Events for User Deletion
User account deletion must be initiated immediately upon:
Employee termination (voluntary or involuntary)
Role change or internal transfer resulting in change of access privileges
Contract expiration or vendor disengagement
Security incidents requiring emergency revocation
Audit findings indicating unused or orphaned accounts
4. Responsibilities
| Role | Responsibility |
|---|---|
| HR / People Ops | Notify IT of user termination or transfer |
| IT / Cloud Admin | Perform account review and deletion |
| Security Team | Monitor compliance and maintain audit logs |
| Manager / Sponsor | Approve or initiate access changes for reporting users |
5. Procedure: Cloud Account Deletion
5.1 Standard Account Deletion Steps
Notification & Ticketing
HR or manager submits a user removal request via the IT ticketing system.
Include full name, email, cloud access type, and effective date.
Access Verification
Identify the user’s cloud access method:
Direct cloud account
Federated SSO via IdP
Enumerate all assigned roles, groups, and policies.
Disable First, Then Delete
Disable access immediately.
For direct accounts: deactivate keys, passwords, and remove session tokens.
For SSO users: disable IdP account or revoke assigned roles.
Wait 24–48 hours before full deletion, unless immediate removal is required.
Delete or Deprovision
Permanently remove the account or de-link user from federated access groups.
Revoke all associated credentials (SSH keys, API tokens, CLI credentials).
Remove from:
Roles / Groups
Access Control Lists (ACLs)
Key Management Systems (KMS) permissions
DevOps pipelines or CI/CD tools
Cloud storage access policies
Audit Logging
Record the deletion action with timestamp, executor, and affected user.
Maintain logs for at least 1 year for audit and forensic purposes.
5.2 Emergency Access Revocation
If user access poses an immediate risk:
Disable cloud access within 15 minutes of notification.
Notify the Security Team for real-time monitoring and post-revocation assessment.
Conduct root cause analysis and document findings.
5.3 Periodic Review of Cloud Access
Conduct quarterly access reviews to identify:
Orphaned accounts
Stale accounts (inactive for >30 days)
Misconfigured role inheritance
Deactivate or remove access that is no longer justified.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article