Cloud Nuke — Wipe AWS Resources with a Single Command

Introduction

Cloud Nuke solves a painful problem in cloud operations: cleaning up forgotten or orphaned AWS resources that silently accumulate costs. It scans all regions, identifies every deletable resource, and removes them in dependency-safe order — making sandbox teardown, account cleanup, and cost control effortless.

What Cloud Nuke Does

• Scans all AWS regions for deletable resources including EC2, S3, RDS, Lambda, and 80+ types
• Deletes resources in dependency-aware order preventing orphaned dependencies
• Filters by age (--older-than), region, resource type, and custom exclusion rules
• Provides dry-run inspection mode to review what would be deleted before acting
• Supports configuration files for persistent exclusion rules protecting production resources

Architecture Overview

Cloud Nuke uses the AWS SDK to enumerate resources across all enabled regions in parallel. For each resource type, a dedicated handler knows how to list, filter, and delete instances respecting dependencies. Resources are grouped and deleted in topological order — for example, EC2 instances before VPCs, objects before S3 buckets. The config file system allows permanent exclusion patterns.

Self-Hosting & Configuration

• Install via Homebrew, Go install, or download pre-built binaries from GitHub releases
• Configure AWS credentials via environment variables, profiles, or IAM roles
• Create a .cloud-nuke.yml config file to exclude specific resources, tags, or account regions
• Schedule periodic cleanup in CI/CD for sandbox accounts using cron-triggered pipelines
• Use --log-level debug for detailed output when troubleshooting deletion failures

Key Features

• Covers 80+ AWS resource types across all commercial regions
• Age-based filtering prevents accidental deletion of recently created resources
• Config-file exclusions protect production resources with name patterns, tags, and IDs
• Parallel region scanning completes full-account inspection in minutes
• Open source with MIT license and active maintenance by Gruntwork

Comparison with Similar Tools

• AWS Nuke (rebuy-de/aws-nuke) — similar scope but config-driven only; Cloud Nuke offers simpler CLI-first UX
• AWS Organizations SCP — preventive controls; Cloud Nuke is reactive cleanup of existing resources
• Terraform destroy — destroys only Terraform-managed resources; Cloud Nuke catches everything including manual creations
• AWS Resource Explorer — discovery only; Cloud Nuke discovers and deletes
• Steampipe — query cloud resources with SQL; Cloud Nuke adds automated deletion actions

FAQ

Q: Will Cloud Nuke delete my production account? A: Only if you point it at your production account. Always use config-file exclusions and --older-than filters. Never run on production without safeguards.

Q: Does it support Azure or GCP? A: Currently AWS only. For multi-cloud cleanup, consider separate tools per provider.

Q: How does it handle dependencies? A: Cloud Nuke deletes resources in dependency order. For example, it removes EC2 instances and ENIs before attempting to delete VPCs and subnets.

Q: Can I exclude specific resources? A: Yes. The .cloud-nuke.yml config file supports exclusion by resource name regex, tags, region, and resource type.

Sources

• https://github.com/gruntwork-io/cloud-nuke
• https://gruntwork.io