The nice thing about having an identity provider is that offboarding users from your Substrate-managed AWS organization doesn’t have to involve a single additional step — just deactivate the users in your identity provider and go on about your day.
There are, however, a couple of things you might want to do to tidy up after someone leaves and loses access to AWS.
xargs -n1 aws ec2 describe-instances --filters "Name=key-name,Values=email-address" --region <"substrate.regions"