Arun Kumar
Posted on June 11, 2021
Objective
Nuke is a powerful tool which allows you the ability to programmatically destroy any resources in an AWS Account which are not considered “Default” or “AWS-Managed.”
In short, it will take your account back to Day-1 with few exceptions.
Note:
We strongly advise you - do not run this application on any AWS account where you cannot afford to lose all resources.
Steps
Clone core-nuke repo to your laptop.
Checkout to new branch and edit the core-nuke/scripts/config.yaml file.
The config.yaml file is used to run the Nuke program. Sample config.yaml below.
---
regions:
- ap-southeast-1
- global
#exception to delete the below listed accounts wont be deleted
account-blacklist:
- "AWS Accounts"
resource-types:
# don't nuke IAM users
excludes:
- Route53ResourceRecordSet
- Route53HostedZone
- IAMLoginProfile
- IAMGroup
- IAMRolePolicy #inline policy
- IAMRolePolicyAttachment
- EC2VPNGatewayAttachment
- EC2DHCPOption
- EC2NATGateway
- EC2InternetGateway
- EC2KeyPair
- EC2InternetGatewayAttachment
- CloudTrailTrail
- ConfigServiceConfigRule
- EC2VPCPeeringConnection
- EC2VPNGateway
- CloudWatchEventsRule
- CloudWatchEventsTarget
- IAMPolicy #managed Policy
# List the aws account numbers you want to Nuke
accounts:
#"123565788": {}
"123565788": # aws-nuke-example
filters:
IAMUser:
- "jack"
IAMUserPolicyAttachment:
- "John -> AdministratorAccess"
IAMUserAccessKey:
- "jack -> AKIAIKAIGVTDSDWJWHDLA"
IAMRolePolicyAttachment:
- "i-0f3719e4a2eqewdda-@-john-account -> AdministratorAccess"
IAMRolePolicy:
- "i-0f3719e4a2qwq9dda-@-john-account -> ssm-validations"
EC2Instance:
- "i-04232c0b689d46012"
EC2Volume:
- "vol-086940f4a23483q179"
EC2Subnet:
- "subnet-97f123f0"
- "subnet-eb52wbad"
- "subnet-1b01s952"
EC2SecurityGroup:
- ""
IAMRole:
- "ADMIN"
- "DevOps"
EC2VPC:
- "vpc-f60232691"
EC2RouteTable:
- "rtb-1831207f"
EC2VPCEndpoint:
- "vpce-4e120627"
- "vpce-cc12ffa5"
CloudWatchEventsRule:
- "Rule: lambda-tagger-rule"
- "Rule: elb-tagger-rule"
- "Rule: ec2-tagger-rule"
- "Rule: asg-tagger-rule"
- "Dynamodb-tagger-rule"
- "rds-tagger-rule"
- "s3-tagger-rule"
- "lambdas-CleanLogsEventRule-1S7TVM1W8DDQ2"
LambdaFunction:
- ""
EC2Image:
- ""
S3Bucket:
- ""
IAMVirtualMFADevice:
- ""
IAMGroupPolicyAttachment:
- ""
ConfigServiceConfigRule:
- ""
CloudWatchEventsTarget:
- "Rule: Dynamodb-tagger-rule Target ID: TaggerLambda"
- "Rule: lambda-tagger-rule Target ID: TaggerLambda"
SNSTopic:
- ""
CloudWatchLogsLogGroup:
- "/aws/lambda/resource-tagger"
- "/aws/lambda/cloudtrail-events"
- "VpcLogGroup"
CloudWatchAlarm:
- "IAM Root Activity"
- "KMS Key Disabled or Scheduled for Deletion"
CloudFormationStack:
- "core-*"
Once you update the config.yaml, push the code to your repo and merge to master.
Post PR merge, try to create EC2 instance in an account.
Login to Nuke EC2 instances.
Go to /opt/pipeline/scripts folder and validate the config.yaml file.
Configure your AWS credentials to execute the script in nuke instance. If you use SAML authentication in your platform, then you have to generate the SAML credential & token in your laptop and copy the ~/.aws/credentials file content to same location onto your Nuke EC2 instance to delete the resources.
Post credential file configuration, you need to configure ~/.aws/config file with target account.
Now credentials are set to execute the nuke script from nuke instance. Go to /opt/pipeline/scripts/ path.
Run the following command to execute the nuke script. The scripts will ask you to enter the account alias name and then hit enter. It will list down the resources from the specified account, what can and cannot be deleted. It will take a while based on resources available in the target account.
./dist/aws-nuke-v2.14.0-linux-amd64 -c account1-config.yaml
Run without the prompt
- Execute without prompt for account confirmation so that the output can be pipe’d into a file.
— force (won’t ask for confirmation of account)
— force-sleep int (change the default wait time of 15s)
./dist/aws-nuke-v2.14.0-linux-amd64 -c account1-config.yaml --force --force-sleep 5
Again !
Be aware that aws-nuke is a very destructive tool, hence you have to be very careful while using it. Otherwise you might delete production data !
Reference
[https://github.com/rebuy-de/aws-nuke]
You can find Linux and macOS binaries on the releases page, but they also provide containerized versions on quay.io/rebuy/aws-nuke and docker.io/rebuy/aws-nuke (mirror).
Posted on June 11, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.