AWS Nuke ☢️💥 - How to use it?

AWS Nuke ☢️💥 - How to use it?

A Step-by-Step Guide to Clean Up Your AWS Accounts.

In the earlier blog, we saw what AWS Nuke is and why & when you should use it.

In this blog, we'll walk through how to install and use aws-nuke to keep your AWS accounts tidy.

🔍 Finding the Right Version of AWS-Nuke

aws-nuke is a command-line tool that helps you automatically delete AWS resources. It's perfect for cleaning up development, staging environments, or handling multiple AWS accounts. 💼

But wait—there are two versions of aws-nuke you’ll likely come across:

  1. The original version by rebuy-de, which is now deprecated (⛔).

  2. The actively maintained version by ekristen, which is the one we'll be using in this guide (✅). You can check it out here.

We’ll focus on the latest version, which is free to use under the MIT license, and the documentation can be found here.

🔧 Installing AWS-Nuke

There are two main ways to install aws-nuke. Let’s dive in! 🌊

Option 1: Install from Released Binaries

The recommended way is to grab the released binaries from GitHub.

  1. Head over to the GitHub releases page.

  2. Download the binary for your OS (Linux, macOS, or Windows).

  3. Add the binary to your $PATH, so you can run it from anywhere.

Option 2: Install via Homebrew (Mac Users 🍎)

If you’re on a Mac, Homebrew makes this super easy. Just run:

brew install ekristen/tap/aws-nuke

⚠️ Heads up! Make sure you use the correct tap (ekristen/tap/aws-nuke). If you accidentally install with just brew install aws-nuke, you might end up with the older, deprecated version.

🚀 Getting Started with AWS-Nuke

Alright, you’ve got it installed—now let’s use it! 😎

Step 1: AWS Credentials 🔑

Before running anything, make sure your AWS credentials are set up properly. You can configure these either through environment variables or the ~/.aws/credentials file. You will need ‘Administrator’ permission on the account where you want to run the clean-up.

Step 2: Create a Config File 🛠️

Next, create a configuration file (typically named config.yml) to specify which AWS accounts and regions you want to clean up, and any specific resources you want to keep.

Here’s a simple example:

regions:     # Specify the regions to target for clean-up.
  - "global" # This is for all global resource types e.g. IAM
  - "us-east-1"
  - "us-west-2"

blocklist:   # Specify which accounts should not be touched (Stage/Prod etc.)
  - "111122223333" # Keep this account safe from nuking

accounts:    # Specify which accounts to target for clean-up.
  "123456789012": # Nuke this account
    filters: # Specify Filter to use for choosing resources to clean-up
      IAMSAMLProvider: 
        - type: "regex"   # You can use regex
          value: "AWSSSO_.*_DO_NOT_DELETE"
      IAMRole:
        - type: "glob"
          value: "AWSReservedSSO_*"
      IAMRolePolicyAttachment:
        - type: "glob"
          value: "AWSReservedSSO_*"
      IAMUser:            # You can specify direct match
        - "aws-nuke-access"
      IAMUserPolicyAttachment:
        - "aws-nuke-access -> AdministratorAccess"
      IAMUserAccessKey:
        - "aws-nuke-access -> ABCDEFGHFR2HABCDEFGH"
      EC2KeyPair:
        - "my-keypair"

This configuration will focus on the specified regions and ensure the aws-nuke-access IAM user, its policies, SSO roles, and my-keypair EC2 key pair are not deleted. etc.

There is a bit more elaborate starter configuration documented here.

Step 3: Basic Commands 📝

Once you have the configuration file let’s try some basic commands

aws-nuke --help
aws-nuke explain-account --help
aws-nuke explain-account -c config.yml
aws-nuke explain-config -c config.yml

The above is pretty self-explanatory. we are just trying to get help text and basic information of account and config based on the config file we have created.

Step 4: Dry Run First 🚧

💡 Pro tip: Always do a dry run first to see what resources will be deleted—just in case!

aws-nuke run -c config.yml --profile <aws-profile>

If everything looks good, you can add the --no-dry-run flag and proceed to the real thing!

Step 5: Nuke Time! 💣

When you're ready to clean up your AWS account, simply run:

aws-nuke run -c  config.yml --profile <aws-profile> --no-dry-run

aws-nuke will take it from here, and start cleaning up the resources listed in your config file. Depending on how many resources you have, this could take some time ⏳—so grab a coffee! ☕

🚨 Safety First: Tips to Stay on the Safe Side

As powerful as aws-nuke is, it's important to use it carefully. Here are a few tips:

  • Always run a dry run before actually deleting anything.

  • 📝 Double-check your configuration file to avoid accidentally nuking important resources.

  • 📦 Backup critical data (e.g., S3 buckets, EC2 volumes) if needed, especially when running aws-nuke in production environments.

😬 Known Pitfalls and Things to Watch Out For

While aws-nuke is an amazing tool, it’s not without a few quirks. Here are some common pitfalls to watch out for:

1. Some Resources May Fail to Delete ⚠️

Certain AWS resources may fail to delete on the first attempt due to things like resource locks, dependencies, or other constraints. If you encounter issues, rerun the utility to ensure everything gets cleaned up properly. Sometimes, a second or even third pass may be necessary to clear everything out.

2. Long Execution Times for S3 Buckets with Large Object Counts 🕒

If you have S3 buckets with a large number of objects, aws-nuke might take a long time to delete all the contents. In these cases, it can be faster to delete the bucket directly from the AWS Console.

🏁 Wrapping Up

And there you have it! aws-nuke is a great way to automate resource cleanup across your AWS accounts, saving you time and preventing unwanted costs. By following these steps, you’ll be able to easily install and use the tool to manage your AWS resources.

Remember to use aws-nuke carefully, and always review your resources before hitting that nuke button! 💥

For more details, check out the official documentation, and happy cleaning! 🧹