How to destroy all resources deployed in AWS using AWS Nuke?

You are currently viewing How to destroy all resources deployed in AWS using AWS Nuke?

How to destroy all resources deployed in AWS using AWS Nuke?

How to destroy all resources deployed in AWS using AWS Nuke?

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

Today we will discuss how to delete all the resources deployed in an AWS account using AWS Nuke. Sometimes your terraform deployment might fail and leave some orphan resources or your developers need a sandbox type of account where they will do the testing and cleanup after the testing is done. In these scenarios, its time consuming to delete all the resources manually. Instead, you can use AWS Nuke to destroy all the resources deployed in your AWS account at once programmatically.

What is AWS Nuke?

AWS Nuke is an open-source tool written in Go that helps you destroy all or selected AWS resources deployed in an AWS account.

How to install AWS Nuke?

Step 1: Download the latest binary

## Download the latest aws-nuke binary
wget -c https://github.com/rebuy-de/aws-nuke/releases/download/v2.16.0/aws-nuke-v2.16.0-linux-amd64.tar.gz

Step 2: Install AWS Nuke

## Extract the aws-nuke binary
tar -xvf aws-nuke-v2.16.0-linux-amd64.tar.gz

## Rename the extracted binary to aws-nuke
mv aws-nuke-v2.16.0-linux-amd64 aws-nuke

## Copy the extracted binary to a location which is added to your $PATH
sudo mv aws-nuke /usr/local/bin/aws-nuke

## Remove the tar file
rm aws-nuke-v2.16.0-linux-amd64.tar.gz

## Test if the installation was successful
aws-nuke ## should return some output

AWS Nuke Syntax:

 Usage:
   aws-nuke [flags]
   aws-nuke [command]

 Available Commands:
   help           Help about any command
   resource-types lists all available resource types
   version        shows version of this application

 Flags:
       --access-key-id string       AWS access key ID for accessing the AWS API. Must be used together with --secret-access-key. Cannot be used together with --profile.
       --assume-role-arn string     AWS IAM role arn to assume. The credentials provided via --access-key-id or --profile must be allowed to assume this role.
   -c, --config string              (required) Path to the nuke config file.
       --default-region string      Custom default region name.
   -e, --exclude strings            Prevent nuking of certain resource types (eg IAMServerCertificate). This flag can be used multiple times.
       --force                      Don't ask for confirmation before deleting resources. Instead it waits 15s before continuing. Set --force-sleep to change the wait time.
       --force-sleep int            If specified and --force is set, wait this many seconds before deleting resources. Defaults to 15. (default 15)
   -h, --help                       help for aws-nuke
       --max-wait-retries int       If specified, the program will exit if resources are stuck in waiting for this many iterations. 0 (default) disables early exit.
       --no-dry-run                 If specified, it actually deletes found resources. Otherwise it just lists all candidates.
       --profile string             Name of the AWS profile name for accessing the AWS API. Cannot be used together with --access-key-id and --secret-access-key.
   -q, --quiet                      Don't show filtered resources.
       --secret-access-key string   AWS secret access key for accessing the AWS API. Must be used together with --access-key-id. Cannot be used together with --profile.
       --session-token string       AWS session token for accessing the AWS API. Must be used together with --access-key-id and --secret-access-key. Cannot be used together with --profile.
   -t, --target strings             Limit nuking to certain resource types (eg IAMServerCertificate). This flag can be used multiple times.
   -v, --verbose                    Enables debug output.
 Use "aws-nuke [command] --help" for more information about a command.

How to configure AWS Nuke?

AWS Nuke Authentication:

There are two ways to authenticate aws-nuke. There are static credentials and profiles. The later one can be configured in the shared credentials file (ie ~/.aws/credentials) or the shared config file (ie ~/.aws/config).

To use static credentials the command line flags –access-key-id and –secret-access-key are required. The flag –session-token is only required for temporary sessions.

To use shared profiles the command line flag –profile is required. The profile must be either defined with static credentials in the shared credential file or in shared config file with an assuming role.

Step 1: Create an IAM user with admin access.

https://cloudaffaire.com/iam-users/

Step 2: Install AWS CLI

https://cloudaffaire.com/how-to-install-aws-cli/

Step 3: Configure AWS Nuke authentication

## Configure aws credentials
aws configure --profile aws_nuke
#AWS Access Key ID [None]: <YOUR_ACCESS_KEY>
#AWS Secret Access Key [None]: <YOUR_SECRET_KEY>
#Default region name [None]: <YOUR_REGION>
#Default output format [None]: <YOUR_OUTPUT>

## Validate aws credentials
cat .\.aws\credentials
## [aws_nuke]
## aws_access_key_id = <YOUR_ACCESS_KEY>
## aws_secret_access_key = <YOUR_SECRET_KEY>

cat .\.aws\config    
## [profile aws_nuke]
## region = <YOUR_REGION>
## output = <YOUR_OUTPUT>

aws sts get-caller-identity --profile aws_nuke
## should return IAM users details and account ID

AWS Nuke Configuration:

Regions: Restrict the scope of AWS Nuke to a particular region.

Example:

---
regions:   # restricting aws nuke to a particular region
- "global" # This is for all global resource types e.g. IAM
- "eu-west-1" # Individual region code for regional resource type e.g. EC2
- "ap-south-1"

Resource-types: Restrict the scope of AWS Nuke to a particular resource.

Example:

---
resource-types: # restricting aws nuke to a particular resource type
  targets:
  - IAMUser
  - S3Bucket

Accounts: Restrict the scope of AWS Nuke to particulars accounts

Example:

---
accounts: # AWS accounts where AWS Nuke gets executed
  111111111111: {}
  222222222222: {}

Account-blocklist: Exclude certain accounts from the scope of AWS Nuke.

Example:

---
account-blocklist: # AWS accounts where AWS Nuke does not get executed
- 000000000000
- 999999999999

Filters: Exclude specific resources from AWS Nuke. AWS Nuke will not destroy the resources that satisfies the filter clause.

Example:

---
accounts: # AWS accounts where AWS Nuke gets executed
  111111111111:
    filters: # exclude particular resources from aws nuke
      IAMUser:
      - "admin"
      IAMUserPolicyAttachment:
      - property: RoleName
        value: "admin"
      IAMUserAccessKey:
      - property: UserName
        value: "admin"
      S3Bucket:
      - "s3://my-bucket"

AWS Nuke Config File Example:

---
regions:   # restricting aws nuke to a particular region
- "global" # This is for all global resource types e.g. IAM
- "eu-west-1" # Individual region code for regional resource type e.g. EC2

resource-types: # restricting aws nuke to a particular resource type
  targets:
  - IAMUser
  - S3Bucket

account-blocklist: # AWS accounts where AWS Nuke does not get executed
- 000000000000
- 999999999999

accounts: # AWS accounts where AWS Nuke gets executed
  111111111111:
    filters: # exclude particular resources from aws nuke
      IAMUser:
      - "admin"
      IAMUserPolicyAttachment:
      - property: RoleName
        value: "admin"
      IAMUserAccessKey:
      - property: UserName
        value: "admin"
      S3Bucket:
      - "s3://my-bucket"
  222222222222: {}

Destroy AWS resources using AWS Nuke:

Step 1: Create an account alias name for your AWS account.

## Create an alias name for your AWS account
aws iam create-account-alias --profile aws_nuke --account-alias test-account-1-cloudaffaire

Step 2: Create a config file for your AWS Nuke.

## Create AWS Nuke config file
AWS_ACCOUNT_ID=<YOUR_AWS_ACCOUNT_ID>

cat << EOF > aws_nuke_config.yaml
---
regions:  
- "eu-west-1"
accounts:
  $AWS_ACCOUNT_ID: {} # test-account-1-cloudaffaire
account-blocklist:
- 999999999999 # production
EOF

Step 3: Check what resources will get destroyed by AWS Nuke.

## Check what resources will get destroyed by AWS Nuke
aws-nuke -c aws_nuke_config.yaml --profile aws_nuke

## Do you really want to nuke the account with the ID 152549507332 and the alias 'test-account-1-cloudaffaire'?
## Do you want to continue? Enter account alias to continue.
## > test-account-1-cloudaffaire
## List of resources that will get destroyed
## Scan complete: 64 total, 8 nukeable, 56 filtered.
## The above resources would be deleted with the supplied configuration. Provide --no-dry-run to actually destroy resources.

Warning: Do not execute the below command without a proper config file else you might even lose access to your AWS account. This is only for demo purposes. If you want to test AWS Nuke, make sure you have at least one IAM user and policy with admin access excluded in your config file or restrict AWS Nuke scope to a particular region, resources type, and resource.

Step 4: Destroy all resources in your AWS account using AWS Nuke.

## Destroy all resources in your AWS account using AWS Nuke
aws-nuke -c aws_nuke_config.yaml --profile aws_nuke --no-dry-run

Hope you have enjoyed this article, to get more details on AWS Nuke, please refer to the below official documentation.

https://github.com/rebuy-de/aws-nuke

Tags: , , , , , , , ,

Leave a Reply