> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tensor9.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Revoking Access
You can disable individual permission tiers, re-enable them later, or remove all access entirely. Revocation is immediate - there is no delay or grace period.
This page is about the **standing permission tiers** you grant the controller. Ending a single [break glass](/customer/security/break-glass) session is a separate control, at a different scope - see that page for one-off, approved sessions.
## What Happens When Permissions Are Revoked
Regardless of environment, here's what to expect when you revoke a permission tier:
| Revoked Tier | Impact |
| --------------------- | ------------------------------------------------------------------------------------------------------ |
| Steady-state | We lose visibility into application health. We won't know if the application is running or has issues. |
| Install | We cannot provision infrastructure or perform upgrades. The current deployment continues running. |
| Deploy | We cannot deploy new versions. The current version continues running. |
| Read-only operations | We cannot view logs or events for troubleshooting. |
| Read-write operations | We cannot restart pods or apply patches. |
| Admin operations | We cannot execute commands in containers or port-forward. |
## Disabling Permissions
To disable a specific permission tier (e.g., prevent us from restarting pods), delete the corresponding cluster role binding.
```bash theme={null}
kubectl delete clusterrolebinding
```
Once deleted, the controller immediately loses that capability. We cannot perform actions that require that permission tier until you re-enable it.
### Example: Disable Admin Operations
If you enabled admin operations for a troubleshooting session and want to revoke it:
```bash theme={null}
kubectl delete clusterrolebinding
```
The controller can no longer execute commands inside containers or port-forward. Read-only and read-write operations (if enabled) are unaffected.
The controller's EC2 instance uses an IAM instance profile with attached policies. To restrict what the controller can do, detach specific policies from its IAM role.
### View Current Policies
```bash theme={null}
aws iam list-attached-role-policies --role-name
```
### Detach a Policy
```bash theme={null}
aws iam detach-role-policy \
--role-name \
--policy-arn
```
Once detached, the controller immediately loses the permissions granted by that policy.
## Re-Enabling Permissions
To restore a permission tier you previously disabled, re-apply the role binding. The Terraform configuration you applied during installation contains the definitions. You can either:
1. Re-run `terraform apply` to restore all bindings to their original state
2. Create the specific role binding manually with kubectl
Re-attach the policy to the role:
```bash theme={null}
aws iam attach-role-policy \
--role-name \
--policy-arn
```
The Terraform configuration you applied during installation contains the full policy definitions. You can also re-run `terraform apply` to restore everything to its original state.
## Revoking All Access
### Option 1 - Delete all cluster role bindings
```bash theme={null}
kubectl get clusterrolebindings | grep | awk '{print $1}' | xargs kubectl delete clusterrolebinding
```
### Option 2 - Delete the namespace
```bash theme={null}
kubectl delete namespace
```
This removes everything - the controller, its permissions, its service accounts, and all resources in the namespace. The application will stop running. Use this only if you need to completely remove the deployment.
### Option 1 - Detach all policies
First, list all policies attached to the controller's IAM role:
```bash theme={null}
aws iam list-attached-role-policies \
--role-name \
--query 'AttachedPolicies[].PolicyArn' \
--output text
```
Then, for each policy ARN returned, run:
```bash theme={null}
aws iam detach-role-policy \
--role-name \
--policy-arn
```
The controller instance keeps running but can no longer call any AWS APIs.
### Option 2 - Stop the instance
```bash theme={null}
aws ec2 stop-instances --instance-ids
```
This stops the controller entirely.
### Option 3 - Detach the instance profile
```bash theme={null}
aws ec2 disassociate-iam-instance-profile \
--association-id
```
Once the instance profile is detached, the controller loses all IAM permissions immediately.
## Auditing Permission Changes
Kubernetes records all RBAC changes in the audit log. You can verify when bindings were created, modified, or deleted:
```bash theme={null}
kubectl get events -n --field-selector reason=Created
```
All IAM changes are recorded in AWS CloudTrail. You can verify when policies were attached, detached, or roles modified:
```bash theme={null}
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=ResourceName,AttributeValue= \
--max-results 20
```
## Related
* [Permissions](/customer/security/permissions) - What each permission tier allows
* [Security Model](/customer/security/security-model) - The overall security architecture
* [Break Glass](/customer/security/break-glass) - Ending a single approved session, distinct from revoking a standing tier