on GitHub<\/a>.<\/p>\n\n\n\nFirst of all, some warnings:<\/p>\n\n\n\n
– It\u2019s VERY IMPORTANT <\/strong>to filter the AWS Role\/User used to access the AWS Account. A standalone account can still be accessed using the root account<\/em>, but accounts that are part of an AWS Organization may not have it, so you may be locked out. A filter is already in place in the sample configuration, but make sure to always check and understand before deploying.<\/p>\n\n\n\n– aws-nuke can bypass Termination Protection<\/em>. The sample configuration is designed to do this, so be sure to look for the \u201cdisable-deletion-protection\u201d flag and edit it to suit your needs.<\/p>\n\n\n\nNow that you are aware of the major risks involved in this activity, the first step is to decide which accounts to target. In each of them, the deployment of `assumed-role.yaml` template is required, this is an AWS CloudFormation template, so the deployment through StackSet<\/strong> is trivial.<\/p>\n\n\n\nOnce this prerequisite is deployed, it is sufficient to edit the configuration files and deploy the CDK template inside an account of choice.<\/p>\n\n\n\n
There are two configuration files:<\/p>\n\n\n\n
\n`bucket_content\/beNuke-config.yaml` containing the aws-nuke configuration.<\/li>\n\n\n\n `parameters.ts` contains the Account ID and Region where the solution is deployed and the name of the resources.<\/li>\n<\/ul>\n\n\n\nWhen everything is deployed, it is just a matter of running the CodeBuild manually, by CLI, on a schedule using EventBridge, or in any other way…like with an AWS IoT Button!<\/p>\n\n\n\n
Bonus: AWS IoT Button as a trigger<\/h2>\n\n\n\n Imagine the sense of power derived by nuking an AWS Account and pressing a button. It is possible to trigger the CodeBuild job using a Lambda Function triggered by an IoT Button. To deploy the Lambda is sufficient to set \u201cbuttonEnabled = true\u201d<\/em> inside the template parameters. Unfortunately, a manual step on the AWS Console is required to link the IoT Button as a trigger for the Function.<\/p>\n\n\n\n<\/p>\n\n\n
\n
<\/figure><\/div>\n\n\n<\/p>\n\n\n\n
More detailed instructions are available inside the README.md file in the source code.<\/p>\n\n\n\n
Further development<\/h2>\n\n\n\n A cool addition to this solution would be a report of the nuked resources, including a list of target accounts, failed resources, and other information. That\u2019s not an easy task though; the output of aws-nuke is not suited to be put directly into a report, it\u2019s saturated with information, most of it not really useful to the end user. The output should be parsed for the relevant information, and a short summary could be sent to a specified email address using Amazon SNS.<\/p>\n\n\n\n
Anyway, the output of aws-nuke could definitely be improved, a lot of errors are logged in the standard output. We are currently working on some improvements, which we will submit as pull requests to their repository.<\/p>\n\n\n\n
Conclusions<\/h2>\n\n\n\n Closing an AWS Account is not easy as it sounds, but paying attention to a couple of recommendations from the documentation is not that difficult either.<\/p>\n\n\n\n
Unfortunately, deleting all the resources is a different matter; proceeding manually, especially in cases where the resources span multiple accounts, is prohibitive. But thanks to the right tool and a little CDK code can be done in a lot less time and become a funny, albeit very stressful, task.<\/p>\n\n\n\n
We hope this DevLife-changing cheat will be helpful. Let us know in the comments! <\/p>\n\n\n\n
See you again in 14 days with a new article on Proud2beCloud!<\/p>\n\n\n\n
\n\n\n\nAbout Proud2beCloud<\/h4>\n\n\n\n Proud2beCloud<\/strong> is a blog by beSharp<\/a>, an Italian APN Premier Consulting Partner expert in designing, implementing, and managing complex Cloud infrastructures and advanced services on AWS. Before being writers, we are Cloud Experts working daily with AWS services since 2007. We are hungry readers, innovative builders, and gem-seekers. On Proud2beCloud, we regularly share our best AWS pro tips, configuration insights, in-depth news, tips&tricks, how-tos, and many other resources. Take part in the discussion!<\/p>\n","protected":false},"excerpt":{"rendered":"More and more companies are choosing the Landing Zone approach to their AWS Accounts management. As a result, our work […]<\/p>\n","protected":false},"author":33,"featured_media":6167,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[242],"tags":[572,586,566],"yoast_head":"\n
Clean up multiple AWS accounts: automatic resources deletion (with IoT button) - Proud2beCloud Blog<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n \n \n \n \n \n \n\t \n\t \n\t \n