github gruntwork-io/cloud-nuke v0.1.8
Add the defaults-aws command

This release adds a new subcommand: cloud-nuke defaults-aws.

Background

New AWS accounts have a Default VPC in each region. If you create a resource (e.g. an EC2 instance) without specifying a VPC ID and subnet, it will be created within the default VPC by default. For production accounts, indeed for any account which is used for purposes other than simple sandbox tests, the default VPC can be considered a risk as it may accumulate unused/undesired resources over time.

Additional, all VPCs, not just default VPCs, include a default security group. The default security group has an ingress rule that allows all traffic within the same group, and an egress rule that permits all outbound traffic (e.g. all ports, all protocols, to destination 0.0.0.0/0). This is an antipattern for obvious reasons. Removing this rule is a requirement for compliance with some security standards, such as the CIS AWS Foundations Benchmark.

Usage

The defaults-aws subcommand removes these defaults. Example output:

./ cloud-nuke defaults-aws --force 
INFO[2019-08-14T07:52:26-07:00] Identifying enabled regions
INFO[2019-08-14T07:52:27-07:00] Found enabled region eu-north-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region ap-south-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region eu-west-3
INFO[2019-08-14T07:52:27-07:00] Found enabled region eu-west-2
INFO[2019-08-14T07:52:27-07:00] Found enabled region eu-west-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region ap-northeast-2
INFO[2019-08-14T07:52:27-07:00] Found enabled region ap-northeast-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region sa-east-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region ca-central-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region ap-southeast-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region ap-southeast-2
INFO[2019-08-14T07:52:27-07:00] Found enabled region eu-central-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region us-east-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region us-east-2
INFO[2019-08-14T07:52:27-07:00] Found enabled region us-west-1
INFO[2019-08-14T07:52:27-07:00] Found enabled region us-west-2
INFO[2019-08-14T07:52:27-07:00] Discovering default VPCs
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-09f5580fdcbb2f45c eu-north-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-02a9144962943118c ap-south-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-0b8fa626656a2d406 eu-west-3
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-09dc63dd3e9ef59b5 eu-west-2
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-08748b3914dbe20f3 eu-west-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-07e471a2781ce611e ap-northeast-2
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-0d756684f04e8b539 ap-northeast-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-0d6a8e45677eb1adb sa-east-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-0b41d4bc601d51418 ca-central-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-026a2ea431bde67aa ap-southeast-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-08bd2b462fcdb511c ap-southeast-2
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-090846f0c0d7886c7 eu-central-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-033904a71040f7305 us-east-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-0da379ffd7cb43d90 us-east-2
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-001199441593c91bd us-west-1
INFO[2019-08-14T07:52:37-07:00] * Default VPC vpc-0c2dd0d4dbf70d539 us-west-2
INFO[2019-08-14T07:52:37-07:00] Nuking VPC vpc-09f5580fdcbb2f45c in region eu-north-1
INFO[2019-08-14T07:52:38-07:00] ...detaching Internet Gateway igw-01faf4477ddc2aaa1
INFO[2019-08-14T07:52:38-07:00] ...deleting Internet Gateway igw-01faf4477ddc2aaa1
INFO[2019-08-14T07:52:38-07:00] ...deleting subnet subnet-0c57018894f22cd3b
INFO[2019-08-14T07:52:39-07:00] ...deleting subnet subnet-03f333046f700fdc1
INFO[2019-08-14T07:52:39-07:00] ...deleting subnet subnet-0c6b2a41d26840a04
INFO[2019-08-14T07:52:40-07:00] ...deleting Security Group sg-08f25d8ce6b83c2ba
INFO[2019-08-14T07:52:40-07:00] ...deleting VPC vpc-09f5580fdcbb2f45c
INFO[2019-08-14T07:52:40-07:00] Nuking VPC vpc-02a9144962943118c in region ap-south-1
INFO[2019-08-14T07:52:41-07:00] ...detaching Internet Gateway igw-06381f015a43a06f0
INFO[2019-08-14T07:52:41-07:00] ...deleting Internet Gateway igw-06381f015a43a06f0
INFO[2019-08-14T07:52:42-07:00] ...deleting subnet subnet-024ee83d56944842f
INFO[2019-08-14T07:52:42-07:00] ...deleting subnet subnet-07616d8c3e6edf7cb
INFO[2019-08-14T07:52:43-07:00] ...deleting subnet subnet-0549721d4262b3c5e
INFO[2019-08-14T07:52:44-07:00] ...deleting Security Group sg-09f2a83c6e69ec27a
INFO[2019-08-14T07:52:44-07:00] ...deleting VPC vpc-02a9144962943118c
INFO[2019-08-14T07:52:44-07:00] Nuking VPC vpc-0b8fa626656a2d406 in region eu-west-3
INFO[2019-08-14T07:52:45-07:00] ...detaching Internet Gateway igw-078c47bce8bf47af8
INFO[2019-08-14T07:52:45-07:00] ...deleting Internet Gateway igw-078c47bce8bf47af8
[snip]
INFO[2019-08-14T07:53:22-07:00] Finished nuking default VPCs in all regions
INFO[2019-08-14T07:53:22-07:00] Discovering default security groups
INFO[2019-08-14T07:53:25-07:00] * Default rules for SG sg-00d959b8d5d11f48b default eu-west-3
INFO[2019-08-14T07:53:25-07:00] * Default rules for SG sg-070fc543465a33a83 default eu-west-1
INFO[2019-08-14T07:53:25-07:00] * Default rules for SG sg-03947dbd85c595888 default ca-central-1
INFO[2019-08-14T07:53:25-07:00] ...revoking default rules from Security Group sg-00d959b8d5d11f48b
INFO[2019-08-14T07:53:26-07:00] Egress rule not present (ok)
INFO[2019-08-14T07:53:26-07:00] Ingress rule not present (ok)
INFO[2019-08-14T07:53:26-07:00] ...revoking default rules from Security Group sg-070fc543465a33a83
INFO[2019-08-14T07:53:27-07:00] Egress rule not present (ok)
INFO[2019-08-14T07:53:28-07:00] Ingress rule not present (ok)
INFO[2019-08-14T07:53:28-07:00] ...revoking default rules from Security Group sg-03947dbd85c595888
INFO[2019-08-14T07:53:28-07:00] Egress rule not present (ok)
INFO[2019-08-14T07:53:28-07:00] Ingress rule not present (ok)
INFO[2019-08-14T07:53:28-07:00] Finished nuking default Security Groups in all regions

The only supported flag is --force to allow for non-interactive use.

latest releases: v0.5.0, v0.4.0, v0.3.0...
2 years ago