Personnel Offboarding Checklist (DevOps)
Personnel Name:
Personnel ID / Email:
Job Title:
Last Working Day:
Offboarding Owner:
Ticket / Request Link:
| Item |
Details |
Done (✓) |
Notes |
| Cloudflare account(s) & zone(s) |
|
|
|
| Domain registrar account(s) |
|
|
|
| AWS account(s) / AWS Org / SSO portal |
|
|
|
| GCP project(s) |
|
|
|
| OVH host list |
|
|
|
| Teknotel host list (including bastions) |
|
|
|
| Teknotel shared local users / shared passwords (if any) |
|
|
|
| Red-shift (certificate tracking) account / workspace |
|
|
|
| Algolia (full-text search) org / app(s) |
|
|
|
| Docker Hub org / repo(s) |
|
|
|
| Node.js / Package registry org(s) & registry endpoints (npmjs, GitHub Packages, Artifactory/Nexus/Verdaccio) |
|
|
|
| Infra repos / CI/CD systems used |
|
|
|
| Known shared secrets / shared accounts |
|
|
|
1. Access Revocation (Highest Priority)
| System / Platform |
User ID / Email |
Action |
Done (✓) |
Notes |
| SSO / IdP (Entra ID / Google Workspace / etc.) |
|
Remove from groups that grant DevOps / admin / infra access |
|
|
| GitHub / GitLab |
|
Remove from org/teams; revoke PATs if any |
|
|
| CI/CD (Jenkins / GitHub Actions / etc.) |
|
Remove admin / maintain permissions; remove from credentials stores |
|
|
| Secret stores (Vault / Conjur / Secret Manager) |
|
Remove access; revoke tokens; disable user/service bindings |
|
|
| Kubernetes clusters |
|
Remove cluster-admin bindings; revoke kubeconfigs/certs |
|
|
| Cloudflare |
|
Remove membership & per-zone roles; revoke tokens/keys |
|
|
| AWS |
|
Remove SSO/IAM access; revoke access keys & sessions |
|
|
| GCP |
|
Remove IAM access; remove OS Login/SSH key paths |
|
|
| OVH |
|
Remove SSH key(s) and any console/account access (if applicable) |
|
|
| Teknotel |
|
Remove SSH key(s) and any console/account access (if applicable) |
|
|
| Red-shift (cert tracking) |
|
Remove user access; transfer ownership of rules/alerts if needed |
|
|
| Algolia |
|
Remove user access; review/rotate API keys if exposure risk exists |
|
|
| Docker Hub |
|
Remove org/team access; revoke tokens; review automated builds |
|
|
| Node.js package registries (npm / GH Packages / Artifactory / Nexus) |
|
Remove org/team access; revoke auth tokens; remove from publish permissions |
|
|
| Arc (internal AI assistant) |
|
Remove the person from the Arc configs and revoke all of their access |
|
|
| Other (monitoring, incident tools, etc.) |
|
Remove access |
|
|
2. Cloudflare: Account Cleanup & DNS Handover
| Item |
Action |
Done (✓) |
Notes |
| Remove Cloudflare member access |
Cloudflare Account → Members: remove user (repeat for all relevant accounts) |
|
|
| Revoke/rotate API access |
Revoke tokens/keys created by leaver; rotate any shared/CI tokens they could access |
|
|
| Confirm automation tokens are non-personal |
Ensure DNS automation is using a team/service token |
|
|
| Cloudflare Zero Trust (if used) |
Remove from Access policies, bypass rules, device posture exceptions |
|
|
| DNS ownership handover (critical) |
Ensure all zones are in company account; transfer zones from personal accounts if needed |
|
|
| Registrar ownership check |
Ensure registrar access, 2FA, recovery methods are company-controlled |
|
|
| Document DNS details |
Zones list, owners, UI vs GitOps, automation tokens used |
|
|
3. AWS: Account Access & Credential Cleanup
Goal: ensure the leaver cannot access any AWS account (console, API, CLI, SSO), and remove any long-lived credentials.
| Item |
Action |
Done (✓) |
Notes |
| Identify AWS access model |
Confirm whether user used AWS IAM User, AWS IAM Identity Center (SSO), or both |
|
|
| Remove from AWS SSO / Identity Center |
Remove user from assigned permission sets / account assignments; disable/remove user if managed there |
|
|
| IAM user cleanup (if applicable) |
Disable console login; delete/disable access keys; remove from groups; detach policies; delete user if appropriate |
|
|
| Remove role trust / external access |
Remove any role trusts that directly reference the user (rare) and clean up user-specific permissions |
|
|
| CI/CD & automation credentials |
Rotate any AWS keys/tokens the leaver could access (pipelines, deploy bots, IaC) |
|
|
| Verify no access remains |
Attempt login/assume-role should fail; access keys should be inactive |
|
|
4. GCP: SSH & IAM Cleanup
| Item |
Action |
Done (✓) |
Notes |
| Remove IAM roles/groups |
Remove roles and group memberships that grant access (admin/compute/OS Login, etc.) |
|
|
| Remove OS Login SSH access |
Remove OS Login permissions / bindings (preferred) |
|
|
| Remove project metadata SSH keys |
Remove keys from project metadata (if used) |
|
|
| Remove instance metadata SSH keys |
Remove keys from instance metadata (if used) |
|
|
| Verify access removed |
Confirm user cannot SSH to any instance |
|
|
5. OVH: SSH Key Cleanup
| Item |
Action |
Done (✓) |
Notes |
Remove from authorized_keys |
Remove SSH key(s) from all OVH hosts the user could access |
|
|
| Remove from automation |
Remove from Ansible inventories, Terraform, cloud-init/user-data, provisioning scripts |
|
|
| Verify access removed |
Confirm key no longer grants access |
|
|
6. Teknotel: SSH Key Cleanup + Password Rotation (If Applicable)
| Item |
Action |
Done (✓) |
Notes |
Remove from authorized_keys |
Remove SSH key(s) from Teknotel hosts and bastion/jumpboxes |
|
|
| Shared admin accounts (if any) |
Rotate credentials immediately |
|
|
| Datacenter machine local passwords (if applicable) |
If there are shared/local users or shared passwords, rotate them and document the new owners/rotation date |
|
|
| Verify access removed |
Confirm key no longer grants access |
|
|
7. SaaS Accounts: Red-shift / Algolia / Docker Hub
| Service |
Action |
Done (✓) |
Notes |
| Red-shift (certificate tracking) |
Remove user; review ownership of rules/alerts; ensure notifications/integrations are owned by a team/service account |
|
|
| Algolia (search) |
Remove user; review API keys; rotate keys if the user could access them; ensure keys live in secret store/CI (not personal) |
|
|
| Docker Hub (registry) |
Remove org/team access; revoke personal tokens; review automated builds/webhooks; ensure ownership is company-controlled |
|
|
| Claude Team (claude.ai) |
claude.ai → Settings → Members → find the person and remove. Primary owner is info@appcircle.io. |
|
|
7A. Node.js / NPM: Package Registry Access & Credential Cleanup
Goal: ensure the leaver cannot publish, unpublish, or access private packages; and that CI/CD uses service tokens (not personal tokens).
| Item |
Action |
Done (✓) |
Notes |
| Identify registry usage |
List registries used: npmjs.com, GitHub Packages, Artifactory/Nexus/Verdaccio, etc. Determine if packages are published and/or only consumed |
|
|
| Remove org/team membership |
Remove user from npm org(s) / GitHub org teams / Artifactory groups that grant package read/publish access |
|
|
| Revoke personal tokens |
Revoke npm access tokens and any GitHub PATs used as NODE_AUTH_TOKEN / NPM_TOKEN |
|
|
| Check CI/CD credential sources |
Review Jenkins/GitHub Actions/GitLab variables + secret stores. Remove/rotate any package-registry secrets the user could read |
|
|
Hunt for .npmrc exposure |
Check shared build agents/images and repo files for .npmrc or embedded tokens; remove and rotate if found |
|
|
| Ensure publishing is service-owned |
If publishing is needed, switch to a bot/service account token with least privilege; enable 2FA/recovery under company control where applicable |
|
|
| Validate access removal |
Confirm user cannot install from private scope and cannot publish/unpublish. Confirm pipelines still work with rotated tokens |
|
|
8. Rotate Shared Credentials (Only If Exposure Risk Exists)
| Item |
Action |
Done (✓) |
Notes |
| CI/CD secrets |
Rotate deploy keys, tokens, and pipeline secrets |
|
|
| Registry credentials |
Rotate container registry credentials (Docker Hub, Artifact Registry, ECR, etc.) if shared or exposed |
|
|
| Kubernetes credentials |
Rotate any shared kubeconfigs/certs/tokens |
|
|
| Shared SSH keys / accounts |
Rotate / replace shared keys and passwords |
|
|
| Third-party integrations |
Rotate API tokens used by automation (Algolia, monitoring, webhooks, etc.) |
|
|
| Node.js registry tokens |
Rotate npm/GH Packages/Artifactory tokens used by CI/CD if the leaver had access or tokens were personal/shared |
|
|
9. Close-out
| Item |
Action |
Done (✓) |
Notes |
| Record evidence |
What removed, where, when (screenshots/logs/links) |
|
|
| Note suspicious findings |
If Cloudflare/AWS audit surfaced anything |
|
|
| Mark DevOps offboarding complete |
Update ticket and notify stakeholders |
|
|
Final Review