aws-nuke: nuke all AWS resources in an AWS account with a single click!

Rahulkumar ChoudharyRahulkumar Choudhary
4 min read

Table of contents

In this article, we will learn everything there is about aws-nuke.

Understanding aws-nuke

Let us consider a simple scenario for our easy understanding of aws-nuke, Assume that you have an AWS account where multiple EC2 instances, load balancers, target groups, security groups, etc are set up. To spice up things a little let's say you use terraform to set this up but sometimes due to corruption, the state becomes inconsistent and the only mechanism to recover is to manually destroy all resources in that AWS account.

Now, we start to wonder that if there would have been a certain tool that could nuke all resources in an AWS account our life would have been soo easy and hassle-free!

And the answer to your wondering question is YES! we do have a certain tool called aws-nuke which will do all your manual tasks in an automated way in an instant, without you worrying about anything. Isn't it great!

Before doing all that, Let's see how to install aws-nuke.

Installation of aws-nuke

Note: Here I have explained the installation for the Linux system, for windows please refer to the release page and download the windows zip file.

Step 1: Download the Tar Gz file.

wget https://github.com/rebuy-de/aws-nuke/releases/download/v2.20.0/aws-nuke-v2.20.0-linux-amd64.tar.gz

Step 2: Extract the file.

tar -xvzf aws-nuke-v2.20.0-linux-amd64.tar.gz

Step 3: Rename the file.

mv aws-nuke-v2.20.0-linux-amd64  aws-nuke

Step 4: Change the permission of the file.

chmod 777 aws-nuke

Step 5: Copy the file to the executable program's directory.

sudo cp aws-nuke /usr/bin/

Step 6: Run the aws-nuke command to check whether it is working properly.

aws-nuke -h

nuke AWS account resource

Caution! Be aware that aws-nuke is a very destructive tool, hence you have to be very careful while using it. Otherwise, you might delete production data.

---
regions:
- eu-west-1
- global

account-blocklist:
- "999999999999" # production

accounts:
  "000000000000": {} # aws-nuke-example
  • By default aws-nuke only lists all nukeable resources. You need to add --no-dry-run to actually delete resources.
aws-nuke -c config/nuke-config.yml --profile aws-nuke-example

Do you really want to nuke the account with the ID 000000000000 and the alias 'aws-nuke-example'?
Do you want to continue? Enter account alias to continue.
> aws-nuke-example

Tip for automation script: By default, aws-nuke asks to enter an account alias. We can add --force , It will wait for 15 sec and won't ask to enter the account alias manually,

aws-nuke -c config/nuke-config.yml --no-dry-run --force --profile aws-nuke-example

Specifying Resource Types to Delete

aws-nuke deletes a lot of resources you might want to restrict which resources to delete. There are multiple ways to configure this.

  1. filters

    aws-nuke will delete the administrator user as well, we don't want to do this, because we use this user to access our account. Therefore we have to extend the config so it ignores this user:

     ---
 regions:
 - eu-west-1

 account-blocklist:
 - "999999999999" # production

 accounts:
   "000000000000": # aws-nuke-example
     filters:
       IAMUser:
       - "my-user"
       IAMUserPolicyAttachment:
       - "my-user -> AdministratorAccess"
       IAMUserAccessKey:
       - "my-user -> ABCDEFGHIJKLMNOPQRST"

  2. target

    The --target flag limits nuking to the specified resource types.

     ---
 regions:
   - "eu-west-1"
 account-blocklist:
 - 1234567890

 resource-types:
   # only nuke these three resources
   targets:
   - S3Object
   - S3Bucket
   - IAMRole

 accounts:
   555133742: {}

  3. exclude

    The --exclude flag prevents nuking of the specified resource types.

     ---
 regions:
   - "eu-west-1"
 account-blocklist:
 - 1234567890

 resource-types:
   # don't nuke IAM users
   excludes:
   - IAMUser

 accounts:
   555133742: {}

    You can see all available resource types with this command:

     aws-nuke resource-types

    It also has AWS Cloud Control API Support.

aws-nuke with Docker

You can run aws-nuke with Docker by using a command,

$ docker run \
    --rm -it \
    -v /full-path/to/nuke-config.yml:/home/aws-nuke/config.yml \
    -v /home/user/.aws:/home/aws-nuke/.aws \
    quay.io/rebuy/aws-nuke:v2.11.0 \
    --profile default \
    --config /home/aws-nuke/config.yml

To make it work, you need to adjust the paths for the AWS config and the aws-nuke config.

Also, you need to specify the correct AWS profile. Instead of mounting the AWS directory, you can use the --access-key-id and --secret-access-key flags.

Conclusion

To summarize,

  • We installed aws-nuke.

  • We nuked AWS resources using aws-nuke.

  • We deleted specifying resource types.

  • We have seen how we can use docker to nuke the resources.

aws-nuke is stable, but it is likely that not all AWS resources are covered by it. Be encouraged to add missing resources and create a Pull Request or to create an Issue.

4
Subscribe to my newsletter

Read articles from Rahulkumar Choudhary directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSnukeWeMakeDevsCloud Computing

Written by

Rahulkumar Choudhary
Rahulkumar Choudhary

Cloud & DevOps Engineer crafting peak-performance solutions. Tech enthusiast embracing innovation. Blogging on DevOps & Cloud, simplifying complexities.