A grantee can either be an AWS account (which you probably added in the past) or a predefined AWS “group”, such as “Authenticated Users”, “All Users” or “Log Delivery”. Please have a look at ACL Overview, on AWS docs, for more information.

For removing grants from a given file (or from a set of files), you can use the PUT Object acl operation.

It is not clear, on the documentation, what you need to do in order to remove an user from the “Grantee” list. I performed some tests and this is how S3 is behaving:

• If you select a file using the S3 Management Console and add permission to a new user (not yet in your grantees list), using his email address (make sure the email belongs to a valid Amazon account), that user does NOT go to the bucket ACL, but goes to the object ACL. This user also goes to the Grantees list permanently (even though his friendly name, instead of his email address, is what shows up there).
• If you log out from the AWS console and log in again, the user is still on the Grantees list and you can give him permissions for other objects.
• If you remove the given user’s permissions on every object, log out and log in again, the user will not show on the Grantees list anymore.
• If you add a given user to the Bucket ACL (either via API or via the AWS Console), the user will always be in the Grantees list for objects on that bucket.

This makes me think the Grantees list contains the entire list of users in your bucket’s ACL plus a cache of users with permissions to objects in your bucket (which is cleared upon logging out, if you remove those permissions).

So, I would try first removing the users you don’t want from your bucket’s ACL, and then (via API, of course) remove those user’s permissions for the objects in your bucket.