Skip to content

Personnel Offboarding Checklist (DevOps)

Personnel Name: Personnel ID / Email: Job Title: Last Working Day: Offboarding Owner: Ticket / Request Link:


0. Collect Inputs (Before Starting)

Item Details Done (✓) Notes
Cloudflare account(s) & zone(s)
Domain registrar account(s)
AWS account(s) / AWS Org / SSO portal
GCP project(s)
OVH host list
Teknotel host list (including bastions)
Teknotel shared local users / shared passwords (if any)
Red-shift (certificate tracking) account / workspace
Algolia (full-text search) org / app(s)
Docker Hub org / repo(s)
Node.js / Package registry org(s) & registry endpoints (npmjs, GitHub Packages, Artifactory/Nexus/Verdaccio)
Infra repos / CI/CD systems used
Known shared secrets / shared accounts

1. Access Revocation (Highest Priority)

System / Platform User ID / Email Action Done (✓) Notes
SSO / IdP (Entra ID / Google Workspace / etc.) Remove from groups that grant DevOps / admin / infra access
GitHub / GitLab Remove from org/teams; revoke PATs if any
CI/CD (Jenkins / GitHub Actions / etc.) Remove admin / maintain permissions; remove from credentials stores
Secret stores (Vault / Conjur / Secret Manager) Remove access; revoke tokens; disable user/service bindings
Kubernetes clusters Remove cluster-admin bindings; revoke kubeconfigs/certs
Cloudflare Remove membership & per-zone roles; revoke tokens/keys
AWS Remove SSO/IAM access; revoke access keys & sessions
GCP Remove IAM access; remove OS Login/SSH key paths
OVH Remove SSH key(s) and any console/account access (if applicable)
Teknotel Remove SSH key(s) and any console/account access (if applicable)
Red-shift (cert tracking) Remove user access; transfer ownership of rules/alerts if needed
Algolia Remove user access; review/rotate API keys if exposure risk exists
Docker Hub Remove org/team access; revoke tokens; review automated builds
Node.js package registries (npm / GH Packages / Artifactory / Nexus) Remove org/team access; revoke auth tokens; remove from publish permissions
Arc (internal AI assistant) Remove the person from the Arc configs and revoke all of their access
Other (monitoring, incident tools, etc.) Remove access

2. Cloudflare: Account Cleanup & DNS Handover

Item Action Done (✓) Notes
Remove Cloudflare member access Cloudflare Account → Members: remove user (repeat for all relevant accounts)
Revoke/rotate API access Revoke tokens/keys created by leaver; rotate any shared/CI tokens they could access
Confirm automation tokens are non-personal Ensure DNS automation is using a team/service token
Cloudflare Zero Trust (if used) Remove from Access policies, bypass rules, device posture exceptions
DNS ownership handover (critical) Ensure all zones are in company account; transfer zones from personal accounts if needed
Registrar ownership check Ensure registrar access, 2FA, recovery methods are company-controlled
Document DNS details Zones list, owners, UI vs GitOps, automation tokens used

3. AWS: Account Access & Credential Cleanup

Goal: ensure the leaver cannot access any AWS account (console, API, CLI, SSO), and remove any long-lived credentials.

Item Action Done (✓) Notes
Identify AWS access model Confirm whether user used AWS IAM User, AWS IAM Identity Center (SSO), or both
Remove from AWS SSO / Identity Center Remove user from assigned permission sets / account assignments; disable/remove user if managed there
IAM user cleanup (if applicable) Disable console login; delete/disable access keys; remove from groups; detach policies; delete user if appropriate
Remove role trust / external access Remove any role trusts that directly reference the user (rare) and clean up user-specific permissions
CI/CD & automation credentials Rotate any AWS keys/tokens the leaver could access (pipelines, deploy bots, IaC)
Verify no access remains Attempt login/assume-role should fail; access keys should be inactive

4. GCP: SSH & IAM Cleanup

Item Action Done (✓) Notes
Remove IAM roles/groups Remove roles and group memberships that grant access (admin/compute/OS Login, etc.)
Remove OS Login SSH access Remove OS Login permissions / bindings (preferred)
Remove project metadata SSH keys Remove keys from project metadata (if used)
Remove instance metadata SSH keys Remove keys from instance metadata (if used)
Verify access removed Confirm user cannot SSH to any instance

5. OVH: SSH Key Cleanup

Item Action Done (✓) Notes
Remove from authorized_keys Remove SSH key(s) from all OVH hosts the user could access
Remove from automation Remove from Ansible inventories, Terraform, cloud-init/user-data, provisioning scripts
Verify access removed Confirm key no longer grants access

6. Teknotel: SSH Key Cleanup + Password Rotation (If Applicable)

Item Action Done (✓) Notes
Remove from authorized_keys Remove SSH key(s) from Teknotel hosts and bastion/jumpboxes
Shared admin accounts (if any) Rotate credentials immediately
Datacenter machine local passwords (if applicable) If there are shared/local users or shared passwords, rotate them and document the new owners/rotation date
Verify access removed Confirm key no longer grants access

7. SaaS Accounts: Red-shift / Algolia / Docker Hub

Service Action Done (✓) Notes
Red-shift (certificate tracking) Remove user; review ownership of rules/alerts; ensure notifications/integrations are owned by a team/service account
Algolia (search) Remove user; review API keys; rotate keys if the user could access them; ensure keys live in secret store/CI (not personal)
Docker Hub (registry) Remove org/team access; revoke personal tokens; review automated builds/webhooks; ensure ownership is company-controlled
Claude Team (claude.ai) claude.ai → Settings → Members → find the person and remove. Primary owner is info@appcircle.io.

7A. Node.js / NPM: Package Registry Access & Credential Cleanup

Goal: ensure the leaver cannot publish, unpublish, or access private packages; and that CI/CD uses service tokens (not personal tokens).

Item Action Done (✓) Notes
Identify registry usage List registries used: npmjs.com, GitHub Packages, Artifactory/Nexus/Verdaccio, etc. Determine if packages are published and/or only consumed
Remove org/team membership Remove user from npm org(s) / GitHub org teams / Artifactory groups that grant package read/publish access
Revoke personal tokens Revoke npm access tokens and any GitHub PATs used as NODE_AUTH_TOKEN / NPM_TOKEN
Check CI/CD credential sources Review Jenkins/GitHub Actions/GitLab variables + secret stores. Remove/rotate any package-registry secrets the user could read
Hunt for .npmrc exposure Check shared build agents/images and repo files for .npmrc or embedded tokens; remove and rotate if found
Ensure publishing is service-owned If publishing is needed, switch to a bot/service account token with least privilege; enable 2FA/recovery under company control where applicable
Validate access removal Confirm user cannot install from private scope and cannot publish/unpublish. Confirm pipelines still work with rotated tokens

8. Rotate Shared Credentials (Only If Exposure Risk Exists)

Item Action Done (✓) Notes
CI/CD secrets Rotate deploy keys, tokens, and pipeline secrets
Registry credentials Rotate container registry credentials (Docker Hub, Artifact Registry, ECR, etc.) if shared or exposed
Kubernetes credentials Rotate any shared kubeconfigs/certs/tokens
Shared SSH keys / accounts Rotate / replace shared keys and passwords
Third-party integrations Rotate API tokens used by automation (Algolia, monitoring, webhooks, etc.)
Node.js registry tokens Rotate npm/GH Packages/Artifactory tokens used by CI/CD if the leaver had access or tokens were personal/shared

9. Close-out

Item Action Done (✓) Notes
Record evidence What removed, where, when (screenshots/logs/links)
Note suspicious findings If Cloudflare/AWS audit surfaced anything
Mark DevOps offboarding complete Update ticket and notify stakeholders

Final Review

  • All access revoked (SSO, Git, CI/CD, secret stores, K8s).
  • Cloudflare membership removed, API tokens handled, DNS ownership confirmed.
  • AWS access removed (SSO/IAM), keys revoked, automation credentials rotated if needed.
  • GCP / OVH / Teknotel SSH access removed and verified.
  • Teknotel datacenter shared passwords rotated if applicable.
  • Red-shift / Algolia / Docker Hub access reviewed and cleaned up.
  • Claude Team (claude.ai) membership removed.
  • Node.js package registry access removed; npm/GH Packages/Artifactory tokens revoked/rotated; .npmrc exposure checked.
  • Arc configs cleaned up and all access revoked.
  • Evidence recorded and offboarding closed.