Nuke'em all using cloud-nuke !!!!
Dinesh Sharma
AWS Regional Practice Lead | AWS Ambassador | Puluminary | AWS Community Builder | Mentor | IaC Ninja | Desi | PB13 | RJ19
Hello LinkedIn world
We often have scenarioswhere we:
If you are in a similar situation as above and you feel like just deleting aka "nuking" all the resources and starting over again on an empty slate.
Then, cloud-nuke is the answer.
cloud-nuke
cloud-nuke is a command line utility which can be used to delete/nuke AWS resources. (https://github.com/gruntwork-io/cloud-nuke)
cloud-nuke is a tool that automates the process of deleting all resources in an AWS account, including EC2 instances, RDS databases, S3 buckets, and more. Here are some benefits of using cloud-nuke utilities:
By using cloud-nuke utilities, you can simplify and automate the process of deleting resources in an AWS account, ensuring consistency, safety, and compliance, and potentially reducing costs.
There are few other solutions in the market, but cloud-nuke is by far the easiest to use.
Let's see how we can use cloud-nuke to delete all the resources.
CAUTION: cloud-nuke is a very destructive tool, it will literally nuke the account. So, please use it with precaution.
Installation
It is relatively easier to download and use on linux, just make sure you have homebrew installed.
Run:
brew install cloud-nuke
Verify cloud-nuke by running the below command:
cloud-nuke
Preparing Control Tower and AWS Organizations
Now before we go berserk, lets prepare the environment first.
In most cases, these accounts are part of AWS Organization and Control Tower. Which means the accounts may have some SCPs attached to it which can cause issues with deleting resources.
So, lets isolate this account first. Create a new OU by the name nuke or any other name you may like. Move the account (which needs nuking) into thie newly created OU. Please make sure to do this via control tower, as control tower may start throwing some non-compliant error messages.
Once, the OU is created and account is moved underneath it. Check the SCPs attached to it, you can use AWS Organizations to do this.
You may have something similar to the below:
As you can see I have two guardrails attached to my nuke OU. These guardrails are generated and created by control tower. These Guardrails will cause issues when we try to delete the resources. There is no other easy to do this, but quick and easy fix would be "detach" these guardrails from OU.
I know, I know not a pretty way, but I will also show you the way to re-attach these guardrails.
So, lets continue.
Once, you detach the guardrails, your nuke OU should look like this:
领英推荐
Now the account is ready to be nuked.
Credentials
We need to setup credentials which has the required access to delete the resources.
We need to have Administrator Access to delete all the resources. To be on the safe side and to make sure that you only have the access to a particular account, create a new user called nuke-user in the account which needs to be nuked, assign this user the administrator rights and create the access keys. Use these access keys to configure the profile on your machine.
Now, run aws s3 ls, to make sure that the commands returns the buckets from the account which needs nuking.
It's Showtime
Run the following command
?cloud-nuke aws --list-resource-types
The above command will output the the supported services by cloud-nuke.
If there any specific resources which may want to retain like IAM user, S3 bucket etc; you can use the following command to exclude:
cloud-nuke aws --exclude-resource-type iam --exclude-resource-type iam-role --exclude-resource-type iam-policy --dry-ru
n
In the above example, I excluded few different IAM resources, you can include any of the supported services into the exclude list.
I have also used --dry-run flag, by using this flag you will not delete anything. It will just output the resources which will be deleted.
You can target a particular resource type, you can use the --resource-type flag, for eg: if you would like to delete all the s3 buckets, you can use the following command:
cloud-nuke aws --resource-type s3
If you would like to delete resources from a particular region, you use use the --region flag.
cloud-nuke aws --region ap-southeast-2
If you don't use the --region flag, cloud-nuke will go inside each region and delete the resources, pretty cool and scary at the same time :).
On, running the above command without the --dry-run flag, cloud-nuke will ask you for one last time to confirm:
Confirm it by typing "nuke" (I felt really badass when I typed it :D)
Once the deletion process is completed, you will get a tabular output which will show the successfully deleted resources.
As promised, we need to fix the "nuke" OU as well. Remember we removed the guardrails?
So, in order to fix that, simply go to the control tower, click on that OU, you will see a similar message as below, click on "Re-Register OU". This should re-instate the guardrails. Going forward you use use this OU anytime you want to nuke any other account.
PLEAE NOTE: Cloud-nuking can be very destructive, please communicate and consult with your team before nuking.
WHy hello ther.
2 年Dude, I literally destroyed two organisations today and all the child accounts across my labs, this would have saved me my lunch break and asking AWS to increase my cancellation quota. DO you mind......:)