Keeping AWS costs low with AWS Nuke

AWS, aws-nuke 2 Minutes

A common pattern in several companies using AWS services is having several distinct AWS accounts, partitioned not only by teams, but also by environments, such as develop, staging, production.

This can very easily explode your budget with not utilized resources. A classic example occurs when automated pipelines – think of terraform apply, or CI/CD procedures, etc – fail or time out, and all the resources created in the meanwhile are left behind.

Another frequent example happens in companies recently moving to the cloud. They create accounts for the sole purpose of familiarizing and educating developers on AWS and doing quick and dirty experiments. Understandably, after clicking around and creating multiple resources, it becomes hard to track exactly what was instantiated, and so unused zombie resources are left lingering around.

AWS Nuke to the rescue

There are several options for tools to assist you with cleaning up AWS environment, such as from aws-nuke from rebuy-de and cloud-nuke from gruntwork. From the documentation aws-nuke supports destroying many more AWS resources compared to cloud-nuke, which was my intended use case. However cloud-nuke is being developed with a broader scope, with support for Azure and GCP in mind. When this post was released, this still remained a declaration of intentions though.

AWS Nuke is quite easy and intuitive to work with. To install it:

export AWS_NUKE_VERSION=2.7.0
sudo apt-get install -y wget
wget https://github.com/rebuy-de/aws-nuke/releases/download/v$AWS_NUKE_VERSION/aws-nuke-v$AWS_NUKE_VERSION-linux-amd64.tar.gz –no-check-certificate
tar xvf aws-nuke-v$AWS_NUKE_VERSION-linux-amd64.tar.gz
chmod +x aws-nuke-v$AWS_NUKE_VERSION-linux-amd64
sudo mv aws-nuke-v$AWS_NUKE_VERSION-linux-amd64 /usr/local/bin/aws-nuke
# test it
aws-nuke –help

view raw
install_aws_nuke.sh
hosted with ❤ by GitHub

aws-nuke supports AWS CLI credentials, as well as profiles, something typical when managing several AWS accounts.  Here is how you can run a first scan of the resources to be deleted:

aws-nuke --config config.yaml --profile

 

When you run it for the first time you might stumble upon the following message:

aws-nuke version v2.7.0 – Fri Nov 23 10:28:30 UTC 2018 – 0b0806d56f85a329de6d1eedbf8559d46988a7f4

Error: The specified account doesn’t have an alias. For safety reasons you need to specify an account alias. Your production account should contain the term ‘prod’.

As explained here, the root cause might very likely be that you do not have a AWS account alias configured.

If things went as they should, you should be prompted with:

Do you really want to nuke the account with the ID 12345678910 and the alias ‘<your-aws-account-specific-profile>’?
Do you want to continue? Enter account alias to continue.

 

At this point two things are important to be mentioned. The first is is that depending how many resources should be removed, this might take a while. The second is that no resource will be actually deleted at this point. You should get a message similar to the following:

Scan complete: 436860 total, 436860 nukeable, 0 filtered. The above resources would be deleted with the supplied configuration. Provide –no-dry-run to actually destroy resources.

Thus, to conduct the irreversible destruction:

aws-nuke --config config.yaml --profile  --no-dry-run

Here is an example of a config.yaml template to remove all resources except a given IAM:

regions:
eu-west-1
account-blacklist:
"999999999999" # production
resource-types:
accounts:
12345678910:
filters:
IAMUser:
"admin"
"daurelio.test"
"daurelio"
IAMUserPolicyAttachment:
"admin -> AdministratorAccess"
IAMUserAccessKey:
"admin -> AKIAJTGKZRZ25FIZJEIQ"

view raw
aws_nuke_sample_config_nuke_everything_except.yaml
hosted with ❤ by GitHub

Alternatively you can also specify only some target resources to be removed. Here is an example:

regions:
eu-west-1
account-blacklist:
"999999999999" # production
resource-types:
# only nuke these three resources
targets:
S3Object
S3Bucket
EC2Instance
accounts:
12345678910:

view raw
aws_nuke_sample_config_nuke_only_target.yaml
hosted with ❤ by GitHub

That’s all for today. For more information about aws-nuke, have a look in the repository.

 

 

Published by Diogo Aurélio

I'm a freelance Cloud & Big Data Engineer working in Europe. I blog about data related topics, from collecting and transforming massive amounts of data, real-time & distributed systems, to data science. Moreover, I also blog on how to set those same systems up, always with DevOps type of approach. Mainly I try to share learnings from behind the trenches that helped me and might also help others. In case you need help to kickstart or with a current data project, feel free to reach out on linkedIn: https://de.linkedin.com/in/diogoaurelio

Published

One thought on “Keeping AWS costs low with AWS Nuke

  1. Pingback: List all your AWS resources with Go – Data Center Notes

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s