Nuke'em all using cloud-nuke !!!!

Hello LinkedIn world

We often have scenarioswhere we:

• Start using an AWS account for some random testing and next thing we know that the account is already couple of years old with resources created across different regions
• Want to delete all the resources before closing an account
• Re-purpose the AWS Account for some other functionality

If you are in a similar situation as above and you feel like just deleting aka "nuking" all the resources and starting over again on an empty slate.

Then, cloud-nuke is the answer.

cloud-nuke

cloud-nuke is a command line utility which can be used to delete/nuke AWS resources. (https://github.com/gruntwork-io/cloud-nuke)

cloud-nuke is a tool that automates the process of deleting all resources in an AWS account, including EC2 instances, RDS databases, S3 buckets, and more. Here are some benefits of using cloud-nuke utilities:

1. Speed: With cloud-nuke, you can delete all resources in an AWS account in just a few minutes, which would otherwise take hours or even days to do manually.
2. Consistency: cloud-nuke ensures that all resources are deleted consistently and in the correct order, reducing the risk of manual errors or inconsistencies.
3. Safety: The tool provides several safety features, such as the ability to exclude specific resources or entire regions, so that you don't accidentally delete anything you need to keep.
4. Cost Savings: Deleting unused or redundant resources can help reduce AWS costs, and cloud-nuke makes it easy to identify and delete those resources in a consistent manner.
5. Ease of use: With cloud-nuke, you can delete all resources in an AWS account with a single command, making it much easier and faster than doing it manually.

By using cloud-nuke utilities, you can simplify and automate the process of deleting resources in an AWS account, ensuring consistency, safety, and compliance, and potentially reducing costs.

There are few other solutions in the market, but cloud-nuke is by far the easiest to use.

Let's see how we can use cloud-nuke to delete all the resources.

CAUTION: cloud-nuke is a very destructive tool, it will literally nuke the account. So, please use it with precaution.

Installation

It is relatively easier to download and use on linux, just make sure you have homebrew installed.

Run:

brew install cloud-nuke        

Verify cloud-nuke by running the below command:

cloud-nuke        

Preparing Control Tower and AWS Organizations

Now before we go berserk, lets prepare the environment first.

In most cases, these accounts are part of AWS Organization and Control Tower. Which means the accounts may have some SCPs attached to it which can cause issues with deleting resources.

So, lets isolate this account first. Create a new OU by the name nuke or any other name you may like. Move the account (which needs nuking) into thie newly created OU. Please make sure to do this via control tower, as control tower may start throwing some non-compliant error messages.

Once, the OU is created and account is moved underneath it. Check the SCPs attached to it, you can use AWS Organizations to do this.

You may have something similar to the below:

As you can see I have two guardrails attached to my nuke OU. These guardrails are generated and created by control tower. These Guardrails will cause issues when we try to delete the resources. There is no other easy to do this, but quick and easy fix would be "detach" these guardrails from OU.

I know, I know not a pretty way, but I will also show you the way to re-attach these guardrails.

So, lets continue.

Once, you detach the guardrails, your nuke OU should look like this:

Now the account is ready to be nuked.

Credentials

We need to setup credentials which has the required access to delete the resources.

We need to have Administrator Access to delete all the resources. To be on the safe side and to make sure that you only have the access to a particular account, create a new user called nuke-user in the account which needs to be nuked, assign this user the administrator rights and create the access keys. Use these access keys to configure the profile on your machine.

Now, run aws s3 ls, to make sure that the commands returns the buckets from the account which needs nuking.

It's Showtime

Run the following command

?cloud-nuke aws --list-resource-types        

The above command will output the the supported services by cloud-nuke.

If there any specific resources which may want to retain like IAM user, S3 bucket etc; you can use the following command to exclude:

cloud-nuke aws --exclude-resource-type iam --exclude-resource-type iam-role --exclude-resource-type iam-policy --dry-ru

n        

In the above example, I excluded few different IAM resources, you can include any of the supported services into the exclude list.

I have also used --dry-run flag, by using this flag you will not delete anything. It will just output the resources which will be deleted.

You can target a particular resource type, you can use the --resource-type flag, for eg: if you would like to delete all the s3 buckets, you can use the following command:

cloud-nuke aws --resource-type s3        

If you would like to delete resources from a particular region, you use use the --region flag.

cloud-nuke aws --region ap-southeast-2        

If you don't use the --region flag, cloud-nuke will go inside each region and delete the resources, pretty cool and scary at the same time :).

On, running the above command without the --dry-run flag, cloud-nuke will ask you for one last time to confirm:

Confirm it by typing "nuke" (I felt really badass when I typed it :D)

Once the deletion process is completed, you will get a tabular output which will show the successfully deleted resources.

As promised, we need to fix the "nuke" OU as well. Remember we removed the guardrails?

So, in order to fix that, simply go to the control tower, click on that OU, you will see a similar message as below, click on "Re-Register OU". This should re-instate the guardrails. Going forward you use use this OU anytime you want to nuke any other account.

PLEAE NOTE: Cloud-nuking can be very destructive, please communicate and consult with your team before nuking.