DevOps Offboarding – Summary¶
This page explains, in a compact way, what DevOps offboarding is meant to verify and clean up. Use it alongside the detailed checklist for step-by-step execution.
Purpose¶
DevOps offboarding ensures a departing (or role-changing) person no longer has access to production systems, cloud consoles, infrastructure entry points, and automation credentials. It also reduces “hidden ownership” risks (for example, DNS zones or vendor services living under a personal account, or automation tokens tied to an individual).
What to Check (High Level)¶
1) Access revocation comes first¶
Remove the person from SSO groups and privileged systems so access is cut immediately. This typically includes Git org/team membership, CI/CD permissions, Kubernetes RBAC, secret stores, monitoring/incident tools, and any admin groups.
Also verify access removal from vendor/SaaS accounts used by DevOps (for example: certificate tracking tools, search services, container registries). Personal tokens should be revoked and ownership should be moved to team-controlled accounts.
2) Cloudflare: account cleanup and DNS handover¶
Ensure the person is removed from Cloudflare account/zone roles and that any tokens they created or could reach are revoked or rotated where necessary. Confirm DNS zones are owned by a company-controlled Cloudflare account and that registrar ownership, 2FA, and recovery methods are also under company control.
3) AWS: remove every access path¶
Verify the person cannot access AWS through Identity Center (SSO) and/or IAM Users. Remove account assignments/permission sets, disable console access, and delete/disable long-lived access keys; rotate automation credentials if the person could have learned them.
4) GCP: IAM and SSH access removal¶
Remove IAM roles and group memberships that provide GCP access, especially anything related to Compute Admin / OS Login. Ensure SSH access is removed via OS Login where possible, and clean up any legacy SSH keys in project/instance metadata so the person cannot connect later.
5) OVH & Teknotel: SSH key cleanup (and password rotation if applicable)¶
Remove the person’s SSH keys from all relevant hosts (including bastions/jump boxes) and ensure those keys are not embedded in automation (Terraform/Ansible/cloud-init/scripts).
If the Teknotel datacenter includes shared local users or the person had access to shared passwords, rotate those passwords (and/or move to individual accounts) to prevent continued access through shared paths.
6) Certificate tracking tool (Red-shift): ownership and notification access¶
If certificates are tracked in Red-shift, verify whether the departing person has a user/account, notification rules, ownership, or integrations configured. Remove their access and ensure alerts, renewal workflows, and integrations are owned by a team/service account, not an individual.
7) Algolia: SaaS full-text search access¶
If Algolia is used, remove the person from the Algolia organization/project. Review API keys and rotate them if the person could access them; confirm production indices and credentials are managed via team-owned secrets (CI/CD or secret store), not personal tokens.
8) Docker Hub: organization access and token cleanup¶
If Docker Hub is used, remove the person from the org/teams and revoke/rotate any access tokens they created or could access. Confirm repositories, automated builds, and org settings are controlled by a company-owned account and not tied to a personal login.
9) Rotation of shared credentials (only when exposure risk exists)¶
Only rotate shared secrets when the person could realistically have obtained them (for example, pipeline secrets, registry credentials, shared kubeconfigs, third-party integration tokens). The goal is to reduce risk without performing unnecessary rotations.
Evidence and Close-out¶
Record what was removed, where it was removed from, and when it was completed (ticket links, screenshots, logs). Notify relevant stakeholders and mark the offboarding request as completed once access removal and ownership checks are verified.