Revoke access from prior employees

We need to demonstrate that we have a system for revoking access from prior employees to our database. We are currently on 884, and thus using the API Gateway client to allow developers access. I’ve noticed that the API Gateway does not support IAM authorization by default. I know that authorization is controlled by the client downloading a key file from the Datomic S3 bucket, and using that to sign requests. However, how would we go about revoking authorization to a departed employee. Clearly revoking access to the S3 bucket wouldn’t be enough, since they could easily have downloaded the key file at any prior time.

Is it safe to rotate that key file in the S3 bucket? I believe that would require at the very least rebooting all compute instances, which implies down time. Looking at the file, there appears to be some rotation semantics in it, but I don’t believe there are any docs about how to do that.