And then there were one (account)

And then there were one (account)

Requirement

Once that the pipeline has been put in place for the main url, I needed to get rid of the account that originally contained the marcoaguzzi.it domain. Instead of only closing the AWS account, I wanted to clean the account of all the resources I created in the attempts. This could also be useful when a test account is used and periodically it should be wiped out, in order not to incur in costs for the provisioned resources. This is well presented in this article: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automate-deletion-of-aws-resources-by-using-aws-nuke.html

Solution

One intersting tool is aws-nuke: it scans all the resources created in an AWS account and deletes them, if it’s allowed to.
The name sounds quite menacing, but there is a couple of caveats that will (should?) prevent the user from doing the irreparable damage.

How it went

After downloading the tool from the github page linked above, it all comes down to a wise configuration. The first and foremost prevention of unwanted deletion is the fact that the tool needs a –no-dry-run parameter in order to actually perform the deletion.

How not to do the irreversible loss

  • As mentioned, use –no-dry-run only if you already know what you’re going to delete
  • You must specifiy the config in a configuration file
  • The account you want to delete has to have an alias, so that the confirmation message will be something like:
    Do you really want to delete account super-important-account?
    instead of
    Do you really want to delete account 1234567890?
  • If the alias you set up contained prod, the tool won’t ever delete anything, because the keyword is hard - wired into the code to disallow deletions on any account alias that contains prod in it.
  • The configuration file must also contain an account number that you don’t want to delete. This adds security: it should be read as:
    delete all under unwanted_testing but nothing under actually_running
  • You can also review what would be deleted and, based on that, use filtering in the configuration: it allows both blacklist and whitelist approach.

Preceding history

I’ve already used this tool for nuking another account, where some leftover resources costed me more or less 20 Euros for a couple of days. Of course the value itself wasn’t the problem, but the fact that it was unexpected and for a couple of days only. I wanted to close the account when I was sure that no resources spending money were in place, so I opted for this tool. Once the tool ran, and the forecasted costs went to zero, I deleted the account.

Future reference

I’m linking for (my, too) future reference the minimal configuration I’ve used to nuke the AWS account:

And then there were one (account)

https://marcoaguzzi.it/2023/11/10/aws-nuke/

Author

Marco Aguzzi

Posted on

2023-11-10

Updated on

2024-11-03

Licensed under