You're reading for free via Ekant Mate (AWS APN Ambassador)'s Friend Link. Become a member to access the best of Medium.

Member-only story

How to delete all the resources from AWS Account Safely?

Ekant Mate (AWS APN Ambassador)
AWS in Plain English
8 min readOct 27, 2024

How to Nuke AWS accounts ? / How to cleanup all the resources from AWS Account?

Image taken from washingtonpost.com

If you’ve reached the point where you want to completely clear out an AWS account — perhaps for cost-saving, cleanup, or transfer purposes — deleting every resource from an AWS account can be time-consuming. AWS doesn’t offer a built-in “nuke” feature for deleting all resources across an account. However, powerful third-party tools, like the actively maintained AWS Nuke repository by Erik Kristen, provide a solution for efficiently and safely clearing out resources. This article will walk you through using AWS Nuke to delete all resources from an AWS account and provide guidance on AWS account cleanup.

Understanding AWS Nuke and Its Use Cases

AWS Nuke is an open-source tool that iterates over an AWS account and attempts to delete all resources. It’s specifically designed for users who need to:

  1. Completely clear out AWS resources, possibly for account handover.
  2. Test resource setups without retention.
  3. Avoid unnecessary AWS charges by removing unused resources.
  4. Transition environments by making sure old resources are fully deleted.

Important Note: AWS Nuke will attempt to delete everything in your account, which is irreversible. Make sure to backup any necessary data and verify resource removals.

Step-By-Step Guide to Delete All Resources Using AWS Nuke

Step 1: Prerequisites

Before using AWS Nuke, ensure the following prerequisites are met:

  • Install AWS CLI: Ensure the AWS CLI is installed and configured on your machine.
  • IAM Permissions: Use an IAM user with full administrative permissions to avoid access issues while deleting resources.
  • Backup Important Data: Review and back up any critical data (like S3 buckets, RDS snapshots, etc.) you want to keep.
  • Download and Configure AWS Nuke: Clone or download AWS Nuke from the AWS Nuke GitHub repository.

Step 2: Configure AWS Nuke

  1. Clone the Repository: Clone the AWS Nuke repository to your local machine using Git.

Installation on Linux, macOS, Windows

Step a: Download the Binary

AWS Nuke provides a precompiled binary on its GitHub Releases page. The latest release can be found here.

Use curl or wget to download the binary:

# Replace <version> with the latest release version number
curl -Lo aws-nuke.tar.gz "https://github.com/rebuy-de/aws-nuke/releases/download/v<version>/aws-nuke-v<version>-linux-amd64.tar.gz" # For Linux

curl -Lo aws-nuke.tar.gz "https://github.com/rebuy-de/aws-nuke/releases/download/v<version>/aws-nuke-v<version>-darwin-amd64.tar.gz" # For macOS

Step b: Extract the Binary

Once downloaded, extract the file:

tar -xzf aws-nuke.tar.gz

Step c: Move the Binary to /usr/local/bin

Move the extracted aws-nuke binary to a directory in your system's PATH, such as /usr/local/bin, for global access:

sudo mv aws-nuke /usr/local/bin

Step d: Verify Installation

Confirm the installation by checking the version:

aws-nuke --version

For Mac :

brew install aws-nuke 
aws-nuke --version

Installation on Windows:

  1. Once the download is complete, locate the downloaded executable file (.exe) on your computer.
  2. Open the Command Prompt by pressing the Windows key + R, typing “cmd,” and pressing Enter. (Run your Command Prompt as an Administrator)
  3. In the Command Prompt, navigate to the directory where the AWS Nuke executable file is located.

First enter the current directory where you have stored the file by typing: “cd c:\aws-nuke”

And then enter “aws-nuke-v2.22.1-windows-amd64.exe version” to check the actual version of the aws nuke

2. Create new file named config.yaml and based on your requirement add below parameters. (I am taking one sample file and will try to explain few parameters)

regions:
- global
- us-east-1
- us-east-2

blocklist:
- "987654321098" # Production Account

settings:
EC2Image:
IncludeDisabled: true
IncludeDeprecated: true
DisableDeregistrationProtection: true
EC2Instance:
DisableStopProtection: true
DisableDeletionProtection: true
RDSInstance:
DisableDeletionProtection: true
CloudFormationStack:
DisableDeletionProtection: true
DynamoDBTable:
DisableDeletionProtection: true

resource-types:
excludes:
- S3Object # Excluded because S3 bucket removal handles removing all S3Objects
- ServiceCatalogTagOption # Excluded due to https://github.com/rebuy-de/aws-nuke/issues/515
- ServiceCatalogTagOptionPortfolioAttachment # Excluded due to https://github.com/rebuy-de/aws-nuke/issues/515
- FMSNotificationChannel # Excluded because it's not available
- FMSPolicy # Excluded because it's not available
- MachineLearningMLModel # Excluded due to ML being unavailable
- MachineLearningDataSource # Excluded due to ML being unavailable
- MachineLearningBranchPrediction # Excluded due to ML being unavailable
- MachineLearningEvaluation # Excluded due to ML being unavailable
- RoboMakerDeploymentJob # Deprecated Service
- RoboMakerFleet # Deprecated Service
- RoboMakerRobot # Deprecated Service
- RoboMakerSimulationJob
- RoboMakerRobotApplication
- RoboMakerSimulationApplication
- OpsWorksApp # Deprecated service
- OpsWorksInstance # Deprecated service
- OpsWorksLayer # Deprecated service
- OpsWorksUserProfile # Deprecated service
- OpsWorksCMBackup # Deprecated service
- OpsWorksCMServer # Deprecated service
- OpsWorksCMServerState # Deprecated service
- CodeStarProject # Deprecated service
- CodeStarConnection # Deprecated service
- CodeStarNotification # Deprecated service
- Cloud9Environment # Deprecated service
- CloudSearchDomain # Deprecated service
- RedshiftServerlessSnapshot # Deprecated service
- RedshiftServerlessNamespace # Deprecated service
- RedshiftServerlessWorkgroup # Deprecated service

presets:
common:
filters:
BudgetsBudget:
- property: Name
value: "My Zero-Spend Budget"

organization:
filters:
IAMSAMLProvider:
- property: ARN
type: contains
value: "AWSSSO"
IAMRole:
- property: Name
type: contains
value: "OrganizationAccountAccessRole"
IAMRolePolicyAttachment:
- property: RoleName
value: "OrganizationAccountAccessRole"

defaults:
filters:
EC2Subnet:
- property: DefaultVPC
value: "true"
EC2DefaultSecurityGroupRule:
- property: DefaultVPC
value: "true"
EC2DHCPOption:
- property: DefaultVPC
value: "true"
EC2VPC:
- property: IsDefault
value: "true"
EC2InternetGateway:
- property: DefaultVPC
value: "true"
EC2InternetGatewayAttachment:
- property: DefaultVPC
value: "true"

accounts:
'012345678901':
presets:
- common
- organization
- defaults

Breakdown of the Configuration File

A. Regions

regions:
- global
- us-east-1
- us-east-2

This specifies the regions where AWS Nuke should operate. In this case, AWS Nuke will target:

  • Global resources (like IAM, Route 53, etc.)
  • us-east-1 and us-east-2

AWS Nuke will only perform actions in the specified regions, so resources in other regions won’t be affected.

B. Blocklist

blocklist:
- "987654321098" # Production Account

This section specifies an account blocklist, which prevents AWS Nuke from running in critical or production accounts. Here, AWS Nuke will ignore the account with the ID 987654321098, ensuring no resources are accidentally deleted there.

C. Settings

settings:
EC2Image:
IncludeDisabled: true
IncludeDeprecated: true
DisableDeregistrationProtection: true
EC2Instance:
DisableStopProtection: true
DisableDeletionProtection: true
RDSInstance:
DisableDeletionProtection: true
CloudFormationStack:
DisableDeletionProtection: true
DynamoDBTable:
DisableDeletionProtection: true

This section modifies deletion behavior and disables any protections set on specific resource types:

  • EC2Image: Includes disabled and deprecated AMIs in the deletion process and disables deregistration protection.
  • EC2Instance: Disables stop and deletion protections on EC2 instances, making them deletable.
  • RDSInstance, CloudFormationStack, and DynamoDBTable: Disables deletion protection, allowing these resources to be removed by AWS Nuke.

D. Resource Types to Exclude

resource-types:
excludes:
- S3Object
- ServiceCatalogTagOption
- ServiceCatalogTagOptionPortfolioAttachment
- FMSNotificationChannel
- FMSPolicy
- MachineLearningMLModel

This section lists specific AWS resource types that AWS Nuke should ignore during cleanup. Reasons for exclusions include:

  • Resource limitations: Some resources, like S3Object, are automatically managed by the S3 bucket deletion process.
  • Unavailable or Deprecated Services: For example, OpsWorksApp, RoboMakerFleet, and Cloud9Environment are excluded because they are deprecated or unavailable.
  • Unmanaged Resources: For resources that aren’t available via AWS SDK or that need special permissions (e.g., FMS policies).

E. Presets

Presets are predefined filters that allow you to exclude specific resources based on certain properties. This file has three presets: common, organization, and defaults.

  • common: This preset filters out specific AWS Budgets, excluding budgets named "My Zero-Spend Budget" from deletion.
  • organization: Filters resources related to organizational setups.
  • IAMSAMLProvider: Excludes SAML providers containing "AWSSSO" in their ARN.
  • IAMRole and IAMRolePolicyAttachment: Excludes roles and policy attachments named "OrganizationAccountAccessRole", often used for cross-account access in AWS Organizations.
  • defaults: This preset filters out default VPC-related resources, such as the default VPC, subnets, security groups, and associated configurations.

F. Accounts

accounts:
'012345678901':
presets:
- common
- organization
- defaults

This section defines the AWS accounts in which AWS Nuke will run and applies specified presets to each account. Here, account 012345678901 will:

  • Exclude resources based on all three presets: common, organization, and defaults.

Step 3: Run AWS Nuke in Dry-Run Mode

To avoid accidental deletions, AWS Nuke offers a dry-run mode. This mode simulates the deletion process and outputs a list of all resources that would be deleted without actually removing them.

  1. Run AWS Nuke with the --profile parameter if you have multiple AWS CLI profiles set up:
aws-nuke nuke -c config.yaml

2. Review the dry-run output. It will display a summary of all resources targeted for deletion, giving you the opportunity to refine your configuration if needed.

Step 4: Run AWS Nuke in Full Deletion Mode

After reviewing the dry-run, you can proceed to delete all resources by running AWS Nuke without the dry-run flag:

aws-nuke nuke -c config.yaml --no-dry-run

Warning: This will begin deleting all resources in the specified AWS account. This process may take some time depending on the number and types of resources in your account.

Step 5: Verify Deletion

After AWS Nuke completes, log in to the AWS Console and check to ensure that all intended resources have been deleted. AWS Nuke may occasionally encounter errors with some resources, so manual verification is recommended.

Advanced Configuration Options with AWS Nuke

AWS Nuke offers a variety of configuration options to tailor the deletion process to your needs. Here are a few advanced configurations:

  1. Target Specific Resource Types: You can configure AWS Nuke to ignore specific resource types if you want to preserve certain resources, such as IAMUser or S3Bucket.
  2. Timeout Configurations: For accounts with many resources, you can increase the timeout settings in the configuration to prevent premature failure.
  3. Retry Failed Deletions: In some cases, AWS Nuke might fail to delete certain resources due to dependencies. You can run AWS Nuke multiple times to catch any lingering resources.

Important Considerations and Best Practices

  1. Plan Your Deletions Carefully: Double-check your configuration to prevent accidental deletions. AWS Nuke doesn’t discriminate between production and non-production resources unless specified.
  2. Understand Cost Implications: AWS may charge for certain storage (like EBS snapshots or S3 objects) until the deletion process is fully complete.
  3. Review IAM Policies: Avoid running AWS Nuke under a root account. Instead, create an IAM user with the necessary permissions, and restrict its use.
  4. Compliance and Auditing: Deleting resources may have implications for compliance and audit logs. Review and ensure compliance before proceeding.
  5. Consider Testing in Sandbox Accounts: If you’re new to AWS Nuke, test the configuration in a sandbox account first to avoid unexpected results in production environments.

Alternatives to AWS Nuke for AWS Account Cleanup

AWS Nuke is a powerful tool, but there are other ways to clear out an AWS account if full automation isn’t required:

  1. AWS Console Manual Deletion: For small-scale environments, manually deleting resources via the AWS Console can be simpler.
  2. AWS CLI Scripts: For partial deletion, AWS CLI scripts can be used to selectively delete certain resource types.
  3. AWS Control Tower and Landing Zone: If using Control Tower, specific resources may be managed across accounts, providing an option for selective deletion.

Please follow me for more such innovative blogs And if you find my blogs helpful, I’d really appreciate your claps — they motivate me to keep sharing more valuable insights.

Thank you for being awesome!

In Plain English 🚀

Thank you for being a part of the In Plain English community! Before you go:

Published in AWS in Plain English

New AWS, Cloud, and DevOps content every day. Follow to join our 3.5M+ monthly readers.

Written by Ekant Mate (AWS APN Ambassador)

Technologist, Cloud evangelist & Solution Architect specializing in Design, DevOps, Security, Network. Expert advisor, World Tech Enthusiast, Motivational Blog.

No responses yet

What are your thoughts?