!!! warning We strongly advise you to not run this application on any AWS account, where you cannot afford to lose all resources.
To reduce the blast radius of accidents, there are some safety precautions:
-
By default, aws-nuke only lists all nuke-able resources. You need to add
--no-dry-run
to actually delete resources. -
aws-nuke asks you twice to confirm the deletion by entering the account alias. The first time is directly after the start and the second time after listing all nuke-able resources.
!!! note "ProTip" This can be disabled by adding
--no-prompt
to the command line. -
To avoid just displaying an account ID, which might gladly be ignored by humans, it is required to actually set an Account Alias for your account. Otherwise, aws-nuke will abort.
!!! note "ProTip" This can be disabled by adding
--no-alias-check
to the command line and modifying the config accordingly. -
The account alias must not contain the string
prod
. This string is hardcoded, and it is recommended to add it to every actual production account (e.g.mycompany-production-ecr
).!!! note "ProTip" This can be disabled by adding
--no-alias-check
to the command line and modifying the config accordingly. -
The config file contains a blocklist field. If the Account ID of the account you want to nuke is part of this blocklist, aws-nuke will abort. It is recommended, that you add every production account to this blocklist.
-
To ensure you don't just ignore the blocklisting feature, the blocklist must contain at least one Account ID.
-
The config file contains account specific settings (e.g. filters). The account you want to nuke must be explicitly listed there.
-
To ensure to not accidentally delete a random account, it is required to specify a config file. It is recommended to have only a single config file and add it to a central repository. This way the blocklist is easier to manage and keep up to date.
Feel free to create an issue, if you have any ideas to improve the safety procedures.