CASE 11 · ARCO · 2026
Retired eighty IAM users in three weeks.
An engineering SaaS company had eighty IAM users with long-lived access keys, half of them belonging to people who no longer worked there. We rolled out IAM Identity Center federated to Okta, migrated every human and machine identity, and deleted the IAM users without breaking a single workflow.
Engineering SaaS
SECURITY
2026
RESULTS
What changed, by the numbers.
IAM USERS RETIRED
80 → 0
ACCESS KEYS
−100%
PERMISSION SETS
11
TIMELINE
3w
HOW IT WENT
We started with a CloudTrail audit: every IAM user, every API call they made over ninety days, every permission they actually exercised. About 60% of the granted permissions were never used. About 30% of the users hadn’t made any API calls in six months.
We modelled eleven Permission Sets — one per actual job function — based on observed usage. CI/CD pipelines moved to GitHub Actions OIDC, eliminating long-lived deploy keys. Three service accounts that genuinely needed programmatic access stayed, but moved to short-lived credentials via STS.
Cutover ran one workload at a time, with the old IAM user kept disabled for a week before deletion. Zero outages. Two engineers wrote nostalgic Slack messages about the IAM users they were retiring. One of them had been created in 2017.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.