Cleans up AWS resources based on configurable Rules. This project is a WIP.
The following table illustrates supported resource types and rules that are supported for marking the resources to cleanup.
- required-tags - cleanup resources based on the specified tags
- approved instance types - ensures that the resources provisioned are not using resource types that are not approved.
- idle-rules - identifies if a resource is idle or not based on the configured cloudwatch metrics.
- Manage Stopped - if enabled, cleans up resource if the resource is stopped for a more than specified duration.
- Max Runtime - ensures that the resource provisioned is only running for approved amount of time.
In addition to the specified rules above, each resource can have their own additional rules, which are defined below.
resource type | required-tags | approved-types | idle-rules | max-run-time | manage-stopped | additional-rules |
---|---|---|---|---|---|---|
ec2-instance | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | - |
ec2-address | ✔️ | ❌ | ❌ | ❌ | ❌ | rules |
ec2-eni | ✔️ | ❌ | ❌ | ❌ | ❌ | rules |
ec2-sg | ✔️ | ❌ | ❌ | ❌ | ❌ | rules |
ec2-vpc | ✔️ | ❌ | ❌ | ❌ | ❌ | - |
asg | ✔️ | ❌ | ❌ | ❌ | ❌ | rules |
ebs-volume | ✔️ | ✔️ | ❌ | ❌ | ❌ | rules |
ebs-snapshot | ✔️ | ❌ | ❌ | ✔️ | ❌ | - |
ecs-cluster | ✔️ | ✔️ | ✔️ | ❌ | ❌ | - |
eks-cluster | ✔️ | ✔️ | ✔️ | ❌ | ❌ | - |
elb-alb | ✔️ | ❌ | ✔️ | ❌ | ❌ | - |
elb-nlb | ✔️ | ❌ | ✔️ | ❌ | ❌ | - |
emr-cluster | ❗ | ✔️ | ✔️ | ✔️ | ❌ | - |
es-domain | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | - |
glue-endpoint | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | - |
rds-cluster | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | - |
rds-instance | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | - |
s3-bucket | ✔️ | ❌ | ❌ | ❌ | ❌ | rules |
sagemaker-notebook | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | - |
Unassociated
- Removes an EIP that is unassociated
Unassociated
- Removes an ENI that is unassociated
Unsecured
- Removes an Security Group and the resources that are using it, if open to the world rules (0.0.0.0/0 or ::/0) are associated with it.
Unassociated
- Removes an Auto Scaling Group that has no instances associated, or no ELB(s) associated with it.
Unassociated
- Removes a Volume that is unassociated
Bucket Naming Prefix
- Ensures bucket naming convention is followedPublicly Accessability
- Ensures bucket is not publicly accessibleDNS Compliant Naming
- Ensures bucket naming convention to be DNS compliant
nuker requires a configuration file to operate with, sample configuration is
located for reference here: examples/config/sample.toml
.
Make a copy of the sample configuration and make changes as needed based on the comments provided in the sample configuration file.
cp examples/config/sample.toml config.toml
Every resource type supports the ability to whitelist resources using the config file. Refer to sample configuration file for examples.
nuker can be built using the following command:
cargo build --release
Once built, run using the following command:
./target/release/nuker --config examples/configs/sample.toml \
--profile default \
--region us-east-1 \
--region us-east-2 \
-vvv
To get help:
./target/release/nuker -h
To Target/Exclude specific resource types use --target
or --exclude
flags. For example:
nuker --config examples/configs/sample.toml \
--profile default \
--region us-east-1 \
--exclude s3 \
--exclude es
To view list of supported resource types, use the
nuker resource-types
.
nuker can be built and run using Docker:
docker build -t nuker .
sample run commands:
- Run nuker with specified AWS Access Key and Secret Access Key
docker run --rm -it \
-v "$PWD/examples/configs/sample.toml":/home/nuker/config.toml \
-e AWS_ACCESS_KEY_ID=REPLACE_WITH_ACCESS_KEY \
-e AWS_SECRET_ACCESS_KEY=REPLACE_WITH_SECRET_KEY \
ashrithr/nuker:latest \
--config /home/nuker/config.toml
NOTE: Add
--no-dry-run
flag to actually clean up the resources
- Run nuker by mounting aws credentials directory to Docker container
docker run --rm -it \
-v "$PWD/examples/configs/sample.toml":/home/nuker/config.toml \
-v "$HOME/.aws":/home/nuker/.aws \
ashrithr/nuker:latest \
--profile default \
--config /home/nuker/config.toml
NOTE: Add
--no-dry-run
flag to actually clean up the resources