用 aws-nuke 清理 AWS 服務

2018-11-04 AWS

最近收到單位來的需求是 AWS 帳號不使用了要回收,可是要移除帳號其實還是蠻麻煩的,不如把裡面的資源砍一砍還可以給下一個單位進駐使用,要移除資源通常直接看 Billing 出帳的資訊最準,可是這代表又要被 AWS 賺一個月,但是又不想手動進去一個一個看 …

 

身為工程師常常遇到一些難題,為了不要做蠢事就只好花一些時間去找辦法 …

 

把關鍵字餵狗 (Google) 之後發現 nuke 可以找到許多關於 AWS cleaning up 的工具,而當中 aws-nuke 算是比較堪用的工具,所以就拿他來紀錄使用方式。

 

安裝

可以到 aws-nuke 的 release 去載最新版本,這篇文章是用 v2.6.0

$ wget https://github.com/rebuy-de/aws-nuke/releases/download/v2.6.0/aws-nuke-v2.6.0-darwin-amd64.tar.gz
$ sudo tar zxvf aws-nuke-v2.6.0-darwin-amd64.tar.gz
$ sudo mv aws-nuke-v2.6.0-darwin-amd64 /usr/local/bin/aws-nuke

順便把 command 的名稱改為 aws-nuke。

 

使用方法

awk-nuke 設定檔是 yaml 格式,參考範例:

---
regions:
- "global"
- "us-west-1"
- "us-west-2"
- "us-east-1"
- "us-east-2"
- "ap-south-1"
- "ap-northeast-1"
- "ap-northeast-2"
- "ap-northeast-3"
- "ap-southeast-1"
- "ap-southeast-2"
- "ca-central-1"
- "eu-central-1"
- "eu-west-1"
- "eu-west-2"
- "eu-west-3"
- "sa-east-1"

account-blacklist:
- "000000000000" # default blacklist account

accounts:
  651686553977: # filter account id
    filters:
      EC2VPC:
      - property: IsDefault
        value: "true"
      IAMRole:
      - "Role-Administrator"
      IAMRolePolicyAttachment:
      - "Role-Administrator -> AdministratorAccess"
  • regions:要掃的 region 範圍,比較特別的是 global,像 IAM 這類型的服務為 global。
  • account-blacklist:保護在這個列表的帳號不被刪除,即使沒有也要填上預設值 …

The config file contains a blacklist field. If the Account ID of the account you want to nuke is part of this blacklist, aws-nuke will abort. It is recommended, that you add every production account to this blacklist.

To ensure you don’t just ignore the blacklisting feature, the blacklist must contain at least one Account ID.

  • resource-types:沒有在範例裡,預設是掃 aws-nuke 支援的所有 resource,但也可以選擇部分 resource
  • accounts:用來 filter 某些資源不被刪除,像是 admin 或 Default VPC 之類的。

 

aws-nuke 支援 –access-key-id 的方式塞 credentials,或者 session token / profile 方式,這邊示範用 profile 的方式。

$ aws-nuke -c config.yaml --profile demo-account
aws-nuke version v2.6.0 - Fri Oct 26 11:03:58 UTC 2018 - f7c3d82bf8b2ac4d41ed5e8e96a9d6b9a247796e

Do you really want to nuke the account with the ID 651686553977 and the alias 'demo-account'?
Do you want to continue? Enter account alias to continue.
> demo-account

global - IAMRole - AWSServiceRoleForApplicationAutoScaling_DynamoDBTable - cannot delete service roles
global - IAMRole - AWSServiceRoleForElastiCache - cannot delete service roles
global - IAMRole - AWSServiceRoleForElasticBeanstalk - cannot delete service roles
global - IAMRole - AWSServiceRoleForElasticLoadBalancing - cannot delete service roles
global - IAMRole - AWSServiceRoleForOrganizations - cannot delete service roles
global - IAMRole - AWSServiceRoleForRDS - cannot delete service roles
global - IAMRole - AWSServiceRoleForSupport - cannot delete service roles
global - IAMRole - Role-Administrator - filtered by config
...

 

確認要刪除的資源沒問題就加上 --no-dry-run  再執行一次真的進行移除資源

$ aws-nuke -c config.yaml --profile demo-account --no-dry-run

 

已知問題

  • IAM User 有 MFA 會刪不掉。
  • S3 Bucket 若有 Bucket Policy 則沒有權限移除,必須手動刪掉 Bucket Policy。
  • 若有保留 Default VPC,則會 dependency Route table / Subnet / DHCP Option Sets 無法刪除

 

 

aws-nuke 其實還是存在許多 bug,但相較起來算是比較堪用的工具,不用手動就是爽 …

 

 

給 Mr. 沙先生一點建議

彙整

分類

展開全部 | 收合全部

License

訂閱 Mr. 沙先生 的文章

輸入你的 email 用於訂閱