Usage¶
aws-nuke¶
NAME:
aws-nuke - remove everything from an aws account
USAGE:
aws-nuke [global options] command [command options]
VERSION:
3.0.0-dev
AUTHOR:
Erik Kristensen <[email protected]>
COMMANDS:
run, nuke run nuke against an aws account and remove everything from it
account-details, account list details about the AWS account that the tool is authenticated to
explain-config explain the configuration file and the resources that will be nuked
resource-types, list-resources list available resources to nuke
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help
--version, -v print the version
aws-nuke run¶
NAME:
aws-nuke run - run nuke against an aws account and remove everything from it
USAGE:
aws-nuke run [command [command options]]
OPTIONS:
--config string, -c string path to config file (default: "config.yaml")
--include string, --target string [ --include string, --target string ] only run against these resource types
--exclude string, --exclude-resource string [ --exclude string, --exclude-resource string ] exclude these resource types
--cloud-control string [ --cloud-control string ] use these resource types with the Cloud Control API instead of the default
--quiet, -q hide filtered messages (default: false)
--no-dry-run actually run the removal of the resources after discovery (default: false)
--no-prompt, --force disable prompting for verification to run (default: false)
--prompt-delay int, --force-sleep int seconds to delay after prompt before running (minimum: 3 seconds) (default: 10)
--max-wait-retries int maximum number of retries to wait for dependencies to be removed (default: 0)
--run-sleep-delay duration time to sleep between run/loops of resource deletions, default is 5 seconds (default: 5s) [$AWS_NUKE_RUN_SLEEP_DELAY]
--no-alias-check disable aws account alias check - requires entry in config as well (default: false)
--feature-flag string [ --feature-flag string ] enable experimental behaviors that may not be fully tested or supported
--default-region string the default aws region to use when setting up the aws auth session [$AWS_DEFAULT_REGION]
--access-key-id string the aws access key id to use when setting up the aws auth session [$AWS_ACCESS_KEY_ID]
--secret-access-key string the aws secret access key to use when setting up the aws auth session [$AWS_SECRET_ACCESS_KEY]
--session-token string the aws session token to use when setting up the aws auth session, typically used for temporary credentials [$AWS_SESSION_TOKEN]
--profile string the aws profile to use when setting up the aws auth session, typically used for shared credentials files [$AWS_PROFILE]
--assume-role-arn string the role arn to assume using the credentials provided in the profile or statically set [$AWS_ASSUME_ROLE_ARN]
--assume-role-session-name string the session name to provide for the assumed role [$AWS_ASSUME_ROLE_SESSION_NAME]
--assume-role-external-id string the external id to provide for the assumed role [$AWS_ASSUME_ROLE_EXTERNAL_ID]
--log-level string, -l string Log Level (default: "info") [$LOGLEVEL, $AWS_NUKE_LOG_LEVEL]
--log-caller log the caller (aka line number and file) (default: false) [$AWS_NUKE_LOG_CALLER]
--log-disable-colors, --log-disable-color disable log coloring (default: false) [$AWS_NUKE_LOG_DISABLE_COLORS]
--log-force-colors force enable log output to always show colors (default: false) [$AWS_NUKE_LOG_FORCE_COLORS]
--log-full-timestamp force log output to always show full timestamp (default: false)
--log-format string log format (default: "standard") [$AWS_NUKE_LOG_FORMAT]
--json output as json, shorthand for --log-format=json (default: false) [$AWS_NUKE_LOG_FORMAT_JSON]
--help, -h show help
aws-nuke explain-account¶
This command shows you details of how you are authenticated to AWS.
NAME:
aws-nuke explain-account - explain the account and authentication method used to authenticate against AWS
USAGE:
aws-nuke explain-account [command options] [arguments...]
DESCRIPTION:
explain the account and authentication method used to authenticate against AWS
OPTIONS:
--config value, -c value path to config file (default: "config.yaml")
--default-region value the default aws region to use when setting up the aws auth session [$AWS_DEFAULT_REGION]
--access-key-id value the aws access key id to use when setting up the aws auth session [$AWS_ACCESS_KEY_ID]
--secret-access-key value the aws secret access key to use when setting up the aws auth session [$AWS_SECRET_ACCESS_KEY]
--session-token value the aws session token to use when setting up the aws auth session, typically used for temporary credentials [$AWS_SESSION_TOKEN]
--profile value the aws profile to use when setting up the aws auth session, typically used for shared credentials files [$AWS_PROFILE]
--assume-role-arn value the role arn to assume using the credentials provided in the profile or statically set [$AWS_ASSUME_ROLE_ARN]
--assume-role-session-name value the session name to provide for the assumed role [$AWS_ASSUME_ROLE_SESSION_NAME]
--assume-role-external-id value the external id to provide for the assumed role [$AWS_ASSUME_ROLE_EXTERNAL_ID]
--log-level value, -l value Log Level (default: "info") [$LOGLEVEL]
--log-caller log the caller (aka line number and file) (default: false)
--log-disable-color disable log coloring (default: false)
--log-full-timestamp force log output to always show full timestamp (default: false)
--help, -h show help
explain-account example output¶
Overview:
> Account ID: 123456789012
> Account ARN: arn:aws:iam::123456789012:root
> Account UserID: AKIAIOSFODNN7EXAMPLE:root
> Account Alias: no-alias-123456789012
> Default Region: us-east-2
> Enabled Regions: [global ap-south-1 ca-central-1 eu-central-1 us-west-1 us-west-2 eu-north-1 eu-west-3 eu-west-2 eu-west-1 ap-northeast-3 ap-northeast-2 ap-northeast-1 sa-east-1 ap-southeast-1 ap-southeast-2 us-east-1 us-east-2]
Authentication:
> Method: Static Keys
> Access Key ID: AKIAIOSFODNN7EXAMPLE
aws-nuke explain-config¶
This command will explain the configuration file and the resources that will be nuked for the targeted account.
NAME:
aws-nuke explain-config - explain the configuration file and the resources that will be nuked for an account
USAGE:
aws-nuke explain-config [command options] [arguments...]
DESCRIPTION:
explain the configuration file and the resources that will be nuked for an account that
is defined within the configuration. You may either specific an account using the --account-id flag or
leave it empty to use the default account that can be authenticated against. You can optionally list out included,
excluded and resources with filters with their respective with flags.
OPTIONS:
--config value, -c value path to config file (default: "config.yaml")
--account-id value the account id to check against the configuration file, if empty, it will use whatever account can be authenticated against
--with-filtered print out resource types that have filters defined against them (default: false)
--with-included print out the included resource types (default: false)
--with-excluded print out the excluded resource types (default: false)
--default-region value the default aws region to use when setting up the aws auth session [$AWS_DEFAULT_REGION]
--access-key-id value the aws access key id to use when setting up the aws auth session [$AWS_ACCESS_KEY_ID]
--secret-access-key value the aws secret access key to use when setting up the aws auth session [$AWS_SECRET_ACCESS_KEY]
--session-token value the aws session token to use when setting up the aws auth session, typically used for temporary credentials [$AWS_SESSION_TOKEN]
--profile value the aws profile to use when setting up the aws auth session, typically used for shared credentials files [$AWS_PROFILE]
--assume-role-arn value the role arn to assume using the credentials provided in the profile or statically set [$AWS_ASSUME_ROLE_ARN]
--assume-role-session-name value the session name to provide for the assumed role [$AWS_ASSUME_ROLE_SESSION_NAME]
--assume-role-external-id value the external id to provide for the assumed role [$AWS_ASSUME_ROLE_EXTERNAL_ID]
--log-level value, -l value Log Level (default: "info") [$LOGLEVEL]
--log-caller log the caller (aka line number and file) (default: false)
--log-disable-color disable log coloring (default: false)
--log-full-timestamp force log output to always show full timestamp (default: false)
--help, -h show help
explain-config example output¶
Configuration Details
Account ID: 012345678912
Resource Types: 442 (total)
Included: 429
Excluded: 13
Filter Presets: 2
Resource Filters: 24
Note: use --with-filtered to see resources with filters defined
Note: use --with-included to see included resource types that will be nuked
Note: use --with-excluded to see excluded resource types