DEV Community

loading...
AWS Community Builders

Nuke AWS Resources

Arun Kumar
AWS Community Builder
・3 min read

Objective

  • Nuke is a powerful tool which allows you the ability to programmatically destroy any resources in an AWS Account which are not considered “Default” or “AWS-Managed.”

  • In short, it will take your account back to Day-1 with few exceptions.

Note:
We strongly advise you - do not run this application on any AWS account where you cannot afford to lose all resources.

Steps

  • Clone core-nuke repo to your laptop.

  • Checkout to new branch and edit the core-nuke/scripts/config.yaml file.

  • The config.yaml file is used to run the Nuke program. Sample config.yaml below.

---
regions:
- ap-southeast-1
- global
#exception to delete the below listed accounts wont be deleted
account-blacklist:
- "AWS Accounts"
resource-types:
  # don't nuke IAM users
  excludes:
  - Route53ResourceRecordSet
  - Route53HostedZone
  - IAMLoginProfile
  - IAMGroup
  - IAMRolePolicy #inline policy
  - IAMRolePolicyAttachment
  - EC2VPNGatewayAttachment
  - EC2DHCPOption
  - EC2NATGateway
  - EC2InternetGateway
  - EC2KeyPair
  - EC2InternetGatewayAttachment
  - CloudTrailTrail
  - ConfigServiceConfigRule
  - EC2VPCPeeringConnection
  - EC2VPNGateway
  - CloudWatchEventsRule
  - CloudWatchEventsTarget
  - IAMPolicy #managed Policy

# List the aws account numbers you want to Nuke
accounts:
  #"123565788": {}
  "123565788":  # aws-nuke-example
    filters:
      IAMUser:
      - "jack"
      IAMUserPolicyAttachment:
      - "John -> AdministratorAccess"
      IAMUserAccessKey:
      - "jack -> AKIAIKAIGVTDSDWJWHDLA"
      IAMRolePolicyAttachment:
      - "i-0f3719e4a2eqewdda-@-john-account -> AdministratorAccess"
      IAMRolePolicy:
      - "i-0f3719e4a2qwq9dda-@-john-account -> ssm-validations"
      EC2Instance:
      - "i-04232c0b689d46012"
      EC2Volume:
      - "vol-086940f4a23483q179"
      EC2Subnet:
      - "subnet-97f123f0"
      - "subnet-eb52wbad"
      - "subnet-1b01s952"
      EC2SecurityGroup:
      - ""
      IAMRole:
      - "ADMIN"
      - "DevOps"
      EC2VPC:
      - "vpc-f60232691"
      EC2RouteTable:
      - "rtb-1831207f"
      EC2VPCEndpoint:
      - "vpce-4e120627"
      - "vpce-cc12ffa5"
      CloudWatchEventsRule:
      - "Rule: lambda-tagger-rule"
      - "Rule: elb-tagger-rule"
      - "Rule: ec2-tagger-rule"
      - "Rule: asg-tagger-rule"
      - "Dynamodb-tagger-rule"
      - "rds-tagger-rule"
      - "s3-tagger-rule"
      - "lambdas-CleanLogsEventRule-1S7TVM1W8DDQ2"
      LambdaFunction:
      - ""
      EC2Image:
      - ""

      S3Bucket:
      - ""
      IAMVirtualMFADevice:
      - ""
      IAMGroupPolicyAttachment:
      - ""
      ConfigServiceConfigRule:
      - ""
      CloudWatchEventsTarget:
      - "Rule: Dynamodb-tagger-rule Target ID: TaggerLambda"
      - "Rule: lambda-tagger-rule Target ID: TaggerLambda"
      SNSTopic:
      - ""
      CloudWatchLogsLogGroup:
      - "/aws/lambda/resource-tagger"
      - "/aws/lambda/cloudtrail-events"
      - "VpcLogGroup"
      CloudWatchAlarm:
      - "IAM Root Activity"
      - "KMS Key Disabled or Scheduled for Deletion"
      CloudFormationStack:
      - "core-*"
Enter fullscreen mode Exit fullscreen mode
  • Once you update the config.yaml, push the code to your repo and merge to master.

  • Post PR merge, try to create EC2 instance in an account.

  • Login to Nuke EC2 instances.

  • Go to /opt/pipeline/scripts folder and validate the config.yaml file.

  • Configure your AWS credentials to execute the script in nuke instance. If you use SAML authentication in your platform, then you have to generate the SAML credential & token in your laptop and copy the ~/.aws/credentials file content to same location onto your Nuke EC2 instance to delete the resources.

  • Post credential file configuration, you need to configure ~/.aws/config file with target account.

  • Now credentials are set to execute the nuke script from nuke instance. Go to /opt/pipeline/scripts/ path.

  • Run the following command to execute the nuke script. The scripts will ask you to enter the account alias name and then hit enter. It will list down the resources from the specified account, what can and cannot be deleted. It will take a while based on resources available in the target account.

./dist/aws-nuke-v2.14.0-linux-amd64 -c account1-config.yaml
Enter fullscreen mode Exit fullscreen mode

Run without the prompt

  • Execute without prompt for account confirmation so that the output can be pipe’d into a file.

— force (won’t ask for confirmation of account)

— force-sleep int (change the default wait time of 15s)

./dist/aws-nuke-v2.14.0-linux-amd64 -c account1-config.yaml --force --force-sleep 5
Enter fullscreen mode Exit fullscreen mode

Again !

Be aware that aws-nuke is a very destructive tool, hence you have to be very careful while using it. Otherwise you might delete production data !

Reference

[https://github.com/rebuy-de/aws-nuke]

You can find Linux and macOS binaries on the releases page, but they also provide containerized versions on quay.io/rebuy/aws-nuke and docker.io/rebuy/aws-nuke (mirror).

Discussion (0)