A common pattern in several companies using AWS services is having several distinct AWS accounts, partitioned not only by teams, but also by environments, such as develop, staging, production.
This can very easily explode your budget with not utilized resources. A classic example occurs when automated pipelines – think of terraform apply, or CI/CD procedures, etc – fail or time out, and all the resources created in the meanwhile are left behind.
Another frequent example happens in companies recently moving to the cloud. They create accounts for the sole purpose of familiarizing and educating developers on AWS and doing quick and dirty experiments. Understandably, after clicking around and creating multiple resources, it becomes hard to track exactly what was instantiated, and so unused zombie resources are left lingering around.
AWS Nuke to the rescue
There are several options for tools to assist you with cleaning up AWS environment, such as from aws-nuke from rebuy-de and cloud-nuke from gruntwork. From the documentation aws-nuke supports destroying many more AWS resources compared to cloud-nuke, which was my intended use case. However cloud-nuke is being developed with a broader scope, with support for Azure and GCP in mind. When this post was released, this still remained a declaration of intentions though.
AWS Nuke is quite easy and intuitive to work with. To install it:
|sudo apt-get install -y wget|
|wget https://github.com/rebuy-de/aws-nuke/releases/download/v$AWS_NUKE_VERSION/aws-nuke-v$AWS_NUKE_VERSION-linux-amd64.tar.gz –no-check-certificate|
|tar xvf aws-nuke-v$AWS_NUKE_VERSION-linux-amd64.tar.gz|
|chmod +x aws-nuke-v$AWS_NUKE_VERSION-linux-amd64|
|sudo mv aws-nuke-v$AWS_NUKE_VERSION-linux-amd64 /usr/local/bin/aws-nuke|
|# test it|
aws-nuke supports AWS CLI credentials, as well as profiles, something typical when managing several AWS accounts. Here is how you can run a first scan of the resources to be deleted:
aws-nuke --config config.yaml --profile
When you run it for the first time you might stumble upon the following message:
aws-nuke version v2.7.0 – Fri Nov 23 10:28:30 UTC 2018 – 0b0806d56f85a329de6d1eedbf8559d46988a7f4
Error: The specified account doesn’t have an alias. For safety reasons you need to specify an account alias. Your production account should contain the term ‘prod’.
As explained here, the root cause might very likely be that you do not have a AWS account alias configured.
If things went as they should, you should be prompted with:
Do you really want to nuke the account with the ID 12345678910 and the alias ‘<your-aws-account-specific-profile>’?
Do you want to continue? Enter account alias to continue.
At this point two things are important to be mentioned. The first is is that depending how many resources should be removed, this might take a while. The second is that no resource will be actually deleted at this point. You should get a message similar to the following:
Scan complete: 436860 total, 436860 nukeable, 0 filtered. The above resources would be deleted with the supplied configuration. Provide –no-dry-run to actually destroy resources.
Thus, to conduct the irreversible destruction:
aws-nuke --config config.yaml --profile --no-dry-run
Here is an example of a config.yaml template to remove all resources except a given IAM:
|– "999999999999" # production|
|– "admin -> AdministratorAccess"|
|– "admin -> AKIAJTGKZRZ25FIZJEIQ"|
Alternatively you can also specify only some target resources to be removed. Here is an example:
|– "999999999999" # production|
|# only nuke these three resources|
That’s all for today. For more information about aws-nuke, have a look in the repository.