Controlling Operator Access To Customer Cloud Infrastructure Environments

What is claimed is: 1 . One or more non-transitory computer-readable media comprising instructions which, when executed by one or more hardware processors, cause performance of operations comprising: receiving, from a customer operator associated with a customer of a cloud service provider (CSP), a command to disable CSP operator access to a first set of resources in a customer cloud environment; wherein CSP operator access to the first set of resources in the customer cloud environment is permitted based on a set of permissions; and responsive to the command, performing one or more of: terminating one or more existing sessions that provide CSP operator access to the first set of resources in the customer cloud environment, wherein the one or more existing sessions were established based at least in part on the set of permissions; rejecting one or more new requests for credentials to establish sessions that provide CSP operator access to the first set of resources in the customer cloud environment, wherein the new requests for credentials are made based at least in part on the set of permissions; or revoking existing credentials used to establish sessions that provide CSP operator access to the first set of resources in the customer cloud environment, wherein existing credentials were granted based at least in part on the set of permissions. 2 . The one or more non-transitory computer-readable media of claim 1 : wherein terminating the existing sessions is performed by a bastion service configured to provision a set of bastion instances through which the existing sessions are established, wherein the bastion service records information associated with the existing sessions to generate recorded information, the recorded information including at least one of: (a) if the requestor of the session is a CSP operator, or (b) if the session is a connection into the customer cloud environment; wherein the bastion service identifies the existing sessions to be terminated based on the recorded information; wherein the bastion service terminates the identified sessions. 3 . The one or more non-transitory computer-readable media of claim 1 , wherein rejecting the one or more new requests for credentials is performed by a permissions service configured to manage the set of permissions. 4 . The one or more non-transitory computer-readable media of claim 1 , wherein revoking the existing credentials is performed by a permissions service configured to manage the set of permissions. 5 . The one or more non-transitory computer-readable media of claim 1 , wherein the command requests to disable CSP operator access to all resources in the customer cloud environment, and one or more of the following is performed: (a) terminating all existing sessions; (b) rejecting all new requests for credentials; or (c) revoking all existing credentials. 6 . The one or more non-transitory computer-readable media of claim 1 , wherein the command requests to disable CSP operator access to a subset of resources in the customer cloud environment, and one or more of the following is performed: (a) terminating a subset of existing sessions corresponding to the subset of resources; (b) rejecting a subset of new requests for credentials corresponding to the subset of resources; or (c) revoking a subset of existing credentials corresponding to the subset of resources. 7 . The one or more non-transitory computer-readable media of claim 1 , wherein the command is associated with a designated time period, the operations further comprising: subsequent to conclusion of the designated time period, reversing one or more of: (a) terminating the existing sessions; (b) rejecting the new requests for credentials; or (c) revoking the existing credentials. 8 . The one or more non-transitory computer-readable media of claim 1 , wherein the command sets a flag in a database accessible by one or more of (a) a bastion service configured to provision a set of bastion instances through which the existing sessions are established or (b) a permissions service configured to manage the set of permissions. 9 . The one or more non-transitory computer-readable media of claim 1 , wherein terminating CSP operator access to the first set of resources does not terminate CSP operator access to a second set of resources in the customer cloud environment. 10 . The one or more non-transitory computer-readable media of claim 1 , wherein terminating CSP operator access applies to a first CSP operator and does not terminate access for a second CSP operator. 11 . The one or more non-transitory computer-readable media of claim 1 , wherein the CSP is a first entity, the customer of the CSP is a second entity, and the customer of the CSP provides cloud services to an end user associated with a third entity. 12 . The one or more non-transitory computer-readable media of claim 1 , wherein the command to disable access of the CSP operator is an application programming interface call made in response to user input supplied by the customer operator. 13 . A method comprising: receiving, from a customer operator associated with a customer of a cloud service provider (CSP), a command to disable CSP operator access to a first set of resources in a customer cloud environment; wherein CSP operator access to the first set of resources in the customer cloud environment is permitted based on a set of permissions; and responsive to the command, performing one or more of: terminating one or more existing sessions that provide CSP operator access to the first set of resources in the customer cloud environment, wherein the one or more existing sessions were established based at least in part on the set of permissions; rejecting one or more new requests for credentials to establish sessions that provide CSP operator access to the first set of resources in the customer cloud environment, wherein the new requests for credentials are made based at least in part on the set of permissions; or revoking existing credentials used to establish sessions that provide CSP operator access to the first set of resources in the customer cloud environment, wherein the existing credentials were granted based at least in part on the set of permissions, wherein the method is performed by at least one device including a hardware processor. 14 . The method of claim 13 : wherein terminating the existing sessions is performed by a bastion service configured to provision a set of bastion instances through which the existing sessions are established, wherein the bastion service records information associated with the existing sessions to generate recorded information, the recorded information including at least one of: (c) if a requestor of the session is a CSP operator, or (d) if the session is a connection into the customer cloud environment; wherein the bastion service identifies the existing sessions to be terminated based on the recorded information; wherein the bastion service terminates the identified sessions. 15 . The method of claim 13 , wherein rejecting the one or more new requests for credentials is performed by a permissions service configured to manage the set of permissions. 16 . The method of claim 13 , wherein revoking the existing credentials is performed by a permissions service configured to manage the set of permissions. 17 . The method of claim 13 , wherein the command requests to disable CSP operator access to all resources in the customer cloud environment, and one or more of the following is performe