Revocation Timeline
Critical Access
Cloud admin, database, production SSH, payment systems
Code & Repos
GitHub/GitLab access, CI/CD pipelines, package registries
Communications
Slack, email, project management tools, documentation
Verification
Audit logs review, confirmation collection, documentation
Common Platforms to Check
GitHub
Repos, Actions, Packages
GitLab
Projects, CI/CD, Registry
AWS
IAM, Console, CLI
Google Cloud
IAM, Firebase, GKE
Azure
AD, DevOps, Portal
Slack
Workspace, Channels
Jira/Confluence
Projects, Docs, Boards
Databases
Direct access, Read replicas
Cloud & Infrastructure Access
AWS, GCP, Azure, DigitalOcean, Vercel, Heroku
Delete IAM user or disable console/programmatic access. Rotate any access keys they may have copied.
aws iam delete-user --user-name contractor-name
# Or disable access keys
aws iam update-access-key --user-name contractor-name --access-key-id AKIA... --status Inactive
Remove all IAM bindings for the user across all projects they had access to.
--member="user:contractor@email.com" \
--role="roles/editor"
Remove user from Azure AD and any role assignments in subscriptions.
Remove from team and revoke any personal access tokens created for deployments.
Remove from all apps and pipelines. Check for any API keys created.
Remove from team and check for any API tokens or SSH keys added to droplets.
Delete RBAC bindings, remove from kubeconfig, revoke service account tokens.
kubectl delete rolebinding contractor-binding -n namespace
Rotate any secrets in AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault that contractor had access to.
Code Repositories & CI/CD
GitHub, GitLab, Bitbucket, CircleCI, Jenkins
Remove from org, all teams, and revoke any pending invitations. Check for deploy keys they may have added.
Remove from all groups and projects. Revoke personal access tokens if you have admin access.
Remove from all workspaces and repository access groups.
Remove from CircleCI, GitHub Actions, GitLab CI, Jenkins. Rotate any secrets stored in CI environment variables.
Audit all deploy keys and webhooks added during the engagement. Remove any that were created by the contractor.
Remove from npm org, PyPI, Docker Hub, or any private registries. Rotate publish tokens.
Review recent activity for any suspicious commits, especially to CI configs or secret files.
Database & Data Access
PostgreSQL, MySQL, MongoDB, Redis, Elasticsearch
Drop database users or revoke all privileges. Change passwords for any shared accounts.
DROP USER contractor_user;
-- MySQL
DROP USER 'contractor'@'%';
If contractor had access to connection strings, rotate database passwords and update all applications.
Remove users from MongoDB, revoke Redis AUTH credentials, update ACL rules.
Remove access from tools like pgAdmin, DBeaver Cloud, MongoDB Atlas, or any shared database management platforms.
Check for any unusual queries, bulk exports, or schema changes in the days before termination.
SSH & Server Access
SSH keys, VPN accounts, bastion hosts, jump servers
Remove contractor's public key from ~/.ssh/authorized_keys on all servers they had access to.
grep -v "contractor@email.com" ~/.ssh/authorized_keys > temp && mv temp ~/.ssh/authorized_keys
Disable VPN account, revoke certificates, remove from VPN user groups (OpenVPN, WireGuard, Tailscale, etc.).
Remove user account from bastion hosts. Update any shared jump host configurations.
If any shared/service SSH keys were accessible, rotate them and update all systems using them.
Remove contractor's IP addresses from firewall rules, AWS security groups, and any IP-based access controls.
API Keys & Third-Party Services
Stripe, SendGrid, Twilio, Auth0, Firebase
Roll API keys in Stripe dashboard. Update all applications using the old keys.
Revoke old API keys and create new ones. Old keys could be used for phishing campaigns.
Rotate API keys, remove from subaccounts. Compromised Twilio access can be expensive.
Remove user from identity provider admin access. Revoke any machine-to-machine credentials they created.
Remove from Firebase console access. Check for any service account keys created.
Review all OAuth connections and API integrations. Revoke any that were set up by contractor.
Communication & Collaboration
Slack, Email, Notion, Confluence, Figma
Deactivate account. Consider if you need to export their DMs for records before removal.
Disable email account if one was provisioned. Set up forwarding to manager if needed.
Remove from workspace. Check for any pages they own that need to be transferred.
Deactivate account. Reassign any open tickets assigned to them.
Remove from team. Transfer ownership of any files they created.
Revoke access to shared folders. Check for any files they may have downloaded.
Documentation Requirements
- Record timestamp of each access revocation action
- Screenshot confirmation of removal from each system
- Export audit logs for 30 days before and after termination
- Obtain written confirmation from contractor that all data has been deleted
- Document any credentials that were rotated and notify affected teams
- Update access control documentation with removal date
- File all documentation with the original NDA for records retention
Need an NDA with Built-in Revocation Provisions?
Generate a comprehensive software NDA that clearly defines access termination procedures and requirements.
Start Free Generator