Nuke'em all using cloud-nuke !!!!

Nuke'em all using cloud-nuke !!!!

Hello LinkedIn world

We often have scenarioswhere we:

  • Start using an AWS account for some random testing and next thing we know that the account is already couple of years old with resources created across different regions
  • Want to delete all the resources before closing an account
  • Re-purpose the AWS Account for some other functionality

If you are in a similar situation as above and you feel like just deleting aka "nuking" all the resources and starting over again on an empty slate.

Then, cloud-nuke is the answer.

cloud-nuke

cloud-nuke is a command line utility which can be used to delete/nuke AWS resources. (https://github.com/gruntwork-io/cloud-nuke)

cloud-nuke is a tool that automates the process of deleting all resources in an AWS account, including EC2 instances, RDS databases, S3 buckets, and more. Here are some benefits of using cloud-nuke utilities:

  1. Speed: With cloud-nuke, you can delete all resources in an AWS account in just a few minutes, which would otherwise take hours or even days to do manually.
  2. Consistency: cloud-nuke ensures that all resources are deleted consistently and in the correct order, reducing the risk of manual errors or inconsistencies.
  3. Safety: The tool provides several safety features, such as the ability to exclude specific resources or entire regions, so that you don't accidentally delete anything you need to keep.
  4. Cost Savings: Deleting unused or redundant resources can help reduce AWS costs, and cloud-nuke makes it easy to identify and delete those resources in a consistent manner.
  5. Ease of use: With cloud-nuke, you can delete all resources in an AWS account with a single command, making it much easier and faster than doing it manually.

By using cloud-nuke utilities, you can simplify and automate the process of deleting resources in an AWS account, ensuring consistency, safety, and compliance, and potentially reducing costs.

There are few other solutions in the market, but cloud-nuke is by far the easiest to use.

Let's see how we can use cloud-nuke to delete all the resources.

CAUTION: cloud-nuke is a very destructive tool, it will literally nuke the account. So, please use it with precaution.

Installation

It is relatively easier to download and use on linux, just make sure you have homebrew installed.

Run:

brew install cloud-nuke        

Verify cloud-nuke by running the below command:

cloud-nuke        
No alt text provided for this image
cloud-nuke command

Preparing Control Tower and AWS Organizations

Now before we go berserk, lets prepare the environment first.

In most cases, these accounts are part of AWS Organization and Control Tower. Which means the accounts may have some SCPs attached to it which can cause issues with deleting resources.

So, lets isolate this account first. Create a new OU by the name nuke or any other name you may like. Move the account (which needs nuking) into thie newly created OU. Please make sure to do this via control tower, as control tower may start throwing some non-compliant error messages.

Once, the OU is created and account is moved underneath it. Check the SCPs attached to it, you can use AWS Organizations to do this.

You may have something similar to the below:

No alt text provided for this image
AWS Organization OU Policies

As you can see I have two guardrails attached to my nuke OU. These guardrails are generated and created by control tower. These Guardrails will cause issues when we try to delete the resources. There is no other easy to do this, but quick and easy fix would be "detach" these guardrails from OU.

I know, I know not a pretty way, but I will also show you the way to re-attach these guardrails.

So, lets continue.

Once, you detach the guardrails, your nuke OU should look like this:

No alt text provided for this image

Now the account is ready to be nuked.

Credentials

We need to setup credentials which has the required access to delete the resources.

We need to have Administrator Access to delete all the resources. To be on the safe side and to make sure that you only have the access to a particular account, create a new user called nuke-user in the account which needs to be nuked, assign this user the administrator rights and create the access keys. Use these access keys to configure the profile on your machine.

Now, run aws s3 ls, to make sure that the commands returns the buckets from the account which needs nuking.


It's Showtime

Run the following command

?cloud-nuke aws --list-resource-types        

The above command will output the the supported services by cloud-nuke.

No alt text provided for this image

If there any specific resources which may want to retain like IAM user, S3 bucket etc; you can use the following command to exclude:

cloud-nuke aws --exclude-resource-type iam --exclude-resource-type iam-role --exclude-resource-type iam-policy --dry-ru

n        

In the above example, I excluded few different IAM resources, you can include any of the supported services into the exclude list.

I have also used --dry-run flag, by using this flag you will not delete anything. It will just output the resources which will be deleted.

You can target a particular resource type, you can use the --resource-type flag, for eg: if you would like to delete all the s3 buckets, you can use the following command:

cloud-nuke aws --resource-type s3        


If you would like to delete resources from a particular region, you use use the --region flag.

cloud-nuke aws --region ap-southeast-2        

If you don't use the --region flag, cloud-nuke will go inside each region and delete the resources, pretty cool and scary at the same time :).

On, running the above command without the --dry-run flag, cloud-nuke will ask you for one last time to confirm:

No alt text provided for this image

Confirm it by typing "nuke" (I felt really badass when I typed it :D)

Once the deletion process is completed, you will get a tabular output which will show the successfully deleted resources.

No alt text provided for this image
cloud-nuke output

As promised, we need to fix the "nuke" OU as well. Remember we removed the guardrails?

So, in order to fix that, simply go to the control tower, click on that OU, you will see a similar message as below, click on "Re-Register OU". This should re-instate the guardrails. Going forward you use use this OU anytime you want to nuke any other account.

PLEAE NOTE: Cloud-nuking can be very destructive, please communicate and consult with your team before nuking.

Aaron Wallis

WHy hello ther.

2 年

Dude, I literally destroyed two organisations today and all the child accounts across my labs, this would have saved me my lunch break and asking AWS to increase my cancellation quota. DO you mind......:)

要查看或添加评论,请登录

Dinesh Sharma的更多文章

  • GenAI Powered Chatbot Using Bedrock and Lex

    GenAI Powered Chatbot Using Bedrock and Lex

    Ever wondered how to build your own AI-powered chatbot without diving deep into the complexities of machine learning?…

  • From Bicycle to Spaceship: Navigating the Cloud Transformation Journey

    From Bicycle to Spaceship: Navigating the Cloud Transformation Journey

    Cloud transformation is like a journey one that takes you from the streets of your neighborhood to destinations far…

    6 条评论
  • re:Invent 2024: Day 4 Recap

    re:Invent 2024: Day 4 Recap

    Keynote Highlights from Werner Vogels: Lessons in "Simplexity" Werner Vogels’ keynote at AWS re:Invent 2024 was, as…

  • re:Invent 2024 Day 3 Recap

    re:Invent 2024 Day 3 Recap

    It’s Day 3 of AWS re:Invent, and the cloud conference rollercoaster is in full swing! Today was extra special because…

  • re:Invent 2024: Day 2 Recap

    re:Invent 2024: Day 2 Recap

    After the excitement of Day 1 at AWS re:Invent, which I recapped yesterday, the momentum only picked up on Day 2! Today…

    1 条评论
  • re:Invent 2024: Day 1 Recap

    re:Invent 2024: Day 1 Recap

    AWS re:Invent isn’t just an event, it’s a full-blown tech carnival where innovation meets collaboration, sprinkled with…

  • Farewell to AWS Services: A Nerdy Goodbye

    Farewell to AWS Services: A Nerdy Goodbye

    Well, folks, it looks like AWS has decided to play the role of the grim reaper for some of its services. In a move that…

    1 条评论
  • Drawing AWS with Python (No Art Skills Required)

    Drawing AWS with Python (No Art Skills Required)

    Gone are the days when updating architecture diagrams was a tedious task that often got pushed to the back burner In…

    5 条评论
  • Schedule Your Fargate Pods Organization-Wide Using a magic Lambda

    Schedule Your Fargate Pods Organization-Wide Using a magic Lambda

    Spoiler Alert! There are no magic Lambdas here, just a carefully crafted Lambda function designed to automate the…

  • Scaling Deployments with AWS Lambda

    Scaling Deployments with AWS Lambda

    Hello LinkedIn :) Recently, I've had the pleasure of diving deep into a fascinating use-case involving AWS Lambda and…

社区洞察

其他会员也浏览了