AWSweeper
A tool for cleaning your AWS account
AWSweeper is able to clean out over 200 resource types in your AWS account. Resources to bedeleted can be filtered by their type, ID, tags, or creation dateusing regular expressionsdeclared in a YAML file (see filter.yml as an example).
To keep up supporting the continuously growing number of new resources, AWSweeper is standing upon the shoulders ofdelete routines provided by the Terraform AWS provider.List operations are borrowed from the awsls open-source project and arecode-generated based on the model of the AWS API.
Not being fully there yet, but the goal is to support every AWS resource that is covered by Terraform(currently over 500) without adding or maintaining much code here.
If you run into issues deleting resources, please open an issue or ping me on Twitter.
Happy erasing!
New: awsrm got released! It's a Unix-like rm to simplifydeleting AWS resources across multiple accounts + regions and integrates well with other Unix-like tools, suchas grep for filtering resources by tags or other attributes. Go and check it out!
Example
Features
- Nothing will be deleted without your confirmation. AWSweeper always lists all resources first and then waits foryour approval (also without the
--dry-runflag). With the--dry-runflag, AWSweeper lists all resources and exits. - Using the
-forceflag (dangerous!), AWSweeper can in run an automated fashion without human interaction and approval,for example, as part of a CI pipeline
Installation
Binary Releases
You can download a specific version of AWSweeper on the releases pageor install it the following way to ./bin/:
curl -sSfL https://raw.githubusercontent.com/jckuester/awsweeper/master/install.sh | sh -s v0.11.1
Homebrew
Homebrew users can install by:
brew install jckuester/tap/awsweeper
For more information on Homebrew taps please see the tap documentation.
Usage
awsweeper [options] <filter.yml>
To see options available run awsweeper --help.
Filter
Resources are deleted via a filter declared in a YAML file.
aws_instance:
# instance filter part 1
- id: ^foo.*
created:
before: 2018-10-14
after: 2018-06-28 12:28:39
# instance filter part 2
- tags:
foo: bar
NOT(owner): .*
aws_security_groups:
The filter snippet above deletes all EC2 instances that ID matches ^foo.* and that have been created between2018-06-28 12:28:39 and 2018-10-14 UTC (instance filter part 1); additionally, EC2 instances having a tagfoo: bar AND not a tag key owner with any value are deleted (instance filter part 2); last but not least,ALL security groups are deleted by this filter.
The general filter syntax is as follows:
<resource type>:
- id: <regex to filter by id> | NOT(<regex to filter by id>)
tagged: bool (optional)
tags:
<key> | NOT(key): <regex to filter value> | NOT(<regex to filter value>)
...
created:
before: <timestamp> (optional)
after: <timestamp> (optional)
# OR
- ...
<resource type>:
...
Here is a more detailed description of the various ways to filter resources:
1) Delete all resources of a particular type
Terraform resource type identifiers are used to deleteresources by type. The following filter snippet deletes ALL security groups, IAM roles, and EC2 instances:
aws_security_group:
aws_iam_role:
aws_instance:
Don't forget the : at the end of each line.
2) Delete by tags
If most of your resources have tags, this is probably the best way to filter themfor deletion. Be aware: Not all resources support tags yet and can be filtered this way.
The key and the value part of the tag filter can be negated by a surrounding NOT(...). This allows for removing ofall resources not matching some tag key or value. In the example below, all EC2 instances without the owner: metag are deleted:
aws_instance:
- tags:
NOT(Owner): me
The flag tagged: false deletes all resources that have no tags. Contrary, resources with any tags can be deletedwith tagged: true:
aws_instance:
- tagged: true
3) Delete By ID
You can filter resources of a particular type based on their IDs.
To see what the IDs for a type of resource look like (sometimes it's the name, sometimes the ARN, ...), run AWSweeperfirst in dry-run mode. Then, use this information to create the YAML filter accordingly.
The id filter can be negated by surrounding the regex with NOT(...)
4) By creation date
You can select resources by filtering on the date they have been created using an absolute or relative date.
The supported formats are:
- Relative
- Nanosecond:
1ns - Microsecond:
1us - Millisecond:
1ms - Second:
1s - Minute:
1m - Hour:
1h - Day:
1d - Week:
1w - Month:
1M - Year:
1y
- Nanosecond:
- Absolute:
- RCF3339Nano, short dates:
2006-1-2T15:4:5.999999999Z07:00 - RFC3339Nano, short date, lower-case "t":
2006-1-2t15:4:5.999999999Z07:00 - Space separated, no time zone:
2006-1-2 15:4:5.999999999 - Date only:
2006-1-2
- RCF3339Nano, short dates:
Supported resources
Resource types in the list below are Terraform Types, whichhave to be used in the YAML file to filter resources by their type.
| Service / Resource Type | Delete by tag | Delete by creation date |
|---|---|---|
| accessanalyzer | ||
| aws_accessanalyzer_analyzer | x | |
| acm | ||
| aws_acm_certificate | x | |
| apigateway | ||
| aws_api_gateway_api_key | x | |
| aws_api_gateway_client_certificate | x | |
| aws_api_gateway_domain_name | x | |
| aws_api_gateway_rest_api | x | |
| aws_api_gateway_usage_plan | x | |
| aws_api_gateway_vpc_link | x | |
| apigatewayv2 | ||
| aws_apigatewayv2_api | x | |
| aws_apigatewayv2_domain_name | x | |
| aws_apigatewayv2_vpc_link | x | |
| appmesh | ||
| aws_appmesh_mesh | x | |
| appsync | ||
| aws_appsync_graphql_api | x | |
| athena | ||
| aws_athena_named_query | ||
| aws_athena_workgroup | x | x |
| autoscaling | ||
| aws_autoscaling_group | x | x |
| aws_launch_configuration | x | |
| backup | ||
| aws_backup_plan | x | x |
| aws_backup_vault | x | x |
| batch | ||
| aws_batch_compute_environment | x | |
| aws_batch_job_definition | x | |
| aws_batch_job_queue | x | |
| cloudformation | ||
| aws_cloudformation_stack | x | x |
| aws_cloudformation_stack_set | x | |
| cloudhsmv2 | ||
| aws_cloudhsm_v2_cluster | x | |
| cloudtrail | ||
| aws_cloudtrail | x | |
| cloudwatch | ||
| aws_cloudwatch_dashboard | ||
| cloudwatchevents | ||
| aws_cloudwatch_event_bus | x | |
| cloudwatchlogs | ||
| aws_cloudwatch_log_destination | x | |
| aws_cloudwatch_log_group | x | x |
| aws_cloudwatch_log_resource_policy | ||
| codeartifact | ||
| aws_codeartifact_domain | x | x |
| aws_codeartifact_repository | x | |
| codebuild | ||
| aws_codebuild_project | x | |
| aws_codebuild_report_group | x | |
| aws_codebuild_source_credential | ||
| codecommit | ||
| aws_codecommit_repository | x | |
| codedeploy | ||
| aws_codedeploy_deployment_config | ||
| codepipeline | ||
| aws_codepipeline_webhook | x | |
| codestarnotifications | ||
| aws_codestarnotifications_notification_rule | x | |
| configservice | ||
| aws_config_config_rule | x | |
| aws_config_configuration_recorder | ||
| aws_config_delivery_channel | ||
| costandusagereportservice | ||
| aws_cur_report_definition | ||
| databasemigrationservice | ||
| aws_dms_certificate | ||
| aws_dms_endpoint | x | |
| aws_dms_replication_subnet_group | x | |
| aws_dms_replication_task | x | |
| datasync | ||
| aws_datasync_agent | x | |
| aws_datasync_task | x | |
| dax | ||
| aws_dax_parameter_group | ||
| aws_dax_subnet_group | ||
| devicefarm | ||
| aws_devicefarm_project | ||
| directconnect | ||
| aws_dx_connection | x | |
| aws_dx_hosted_private_virtual_interface | ||
| aws_dx_hosted_public_virtual_interface | ||
| aws_dx_hosted_transit_virtual_interface | ||
| aws_dx_lag | x | |
| aws_dx_private_virtual_interface | x | |
| aws_dx_public_virtual_interface | x | |
| aws_dx_transit_virtual_interface | x | |
| dlm | ||
| aws_dlm_lifecycle_policy | x | |
| dynamodb | ||
| aws_dynamodb_global_table | ||
| aws_dynamodb_table | x | |
| ec2 | ||
| aws_ami | x | x |
| aws_ebs_snapshot | x | x |
| aws_ebs_volume | x | x |
| aws_ec2_capacity_reservation | x | x |
| aws_ec2_client_vpn_endpoint | x | x |
| aws_ec2_fleet | x | x |
| aws_ec2_local_gateway_route_table_vpc_association | x | |
| aws_ec2_traffic_mirror_filter | x | |
| aws_ec2_traffic_mirror_session | x | |
| aws_ec2_traffic_mirror_target | x | |
| aws_ec2_transit_gateway | x | x |
| aws_ec2_transit_gateway_peering_attachment | x | x |
| aws_ec2_transit_gateway_route_table | x | x |
| aws_ec2_transit_gateway_vpc_attachment | x | x |
| aws_egress_only_internet_gateway | x | |
| aws_eip | x | |
| aws_instance | x | x |
| aws_internet_gateway | x | |
| aws_key_pair | x | |
| aws_launch_template | x | x |
| aws_nat_gateway | x | x |
| aws_network_acl | x | |
| aws_network_interface | x | |
| aws_placement_group | x | |
| aws_route_table | x | |
| aws_security_group | x | |
| aws_spot_fleet_request | x | x |
| aws_spot_instance_request | x | x |
| aws_subnet | x | |
| aws_vpc | x | |
| aws_vpc_endpoint | x | x |
| aws_vpc_endpoint_connection_notification | ||
| aws_vpc_endpoint_service | x | |
| aws_vpc_peering_connection | x | |
| aws_vpn_gateway | x | |
| ecr | ||
| aws_ecr_repository | x | |
| ecs | ||
| aws_ecs_cluster | x | |
| aws_ecs_task_definition | x | |
| efs | ||
| aws_efs_access_point | x | |
| aws_efs_file_system | x | x |
| eks | ||
| aws_eks_cluster | x | |
| elasticache | ||
| aws_elasticache_replication_group | x | |
| elasticbeanstalk | ||
| aws_elastic_beanstalk_application | x | |
| aws_elastic_beanstalk_application_version | x | |
| aws_elastic_beanstalk_environment | x | |
| elasticloadbalancing | ||
| aws_elb | x | x |
| elasticloadbalancingv2 | ||
| aws_alb_target_group | x | |
| aws_lb | x | x |
| aws_lb_target_group | x | |
| elastictranscoder | ||
| aws_elastictranscoder_pipeline | ||
| aws_elastictranscoder_preset | ||
| emr | ||
| aws_emr_security_configuration | ||
| firehose | ||
| aws_kinesis_firehose_delivery_stream | x | |
| fsx | ||
| aws_fsx_lustre_file_system | x | x |
| aws_fsx_windows_file_system | x | x |
| gamelift | ||
| aws_gamelift_alias | x | x |
| aws_gamelift_build | x | x |
| aws_gamelift_fleet | x | |
| aws_gamelift_game_session_queue | x | |
| globalaccelerator | ||
| aws_globalaccelerator_accelerator | x | x |
| glue | ||
| aws_glue_crawler | x | x |
| aws_glue_dev_endpoint | x | |
| aws_glue_job | x | |
| aws_glue_ml_transform | x | |
| aws_glue_security_configuration | ||
| aws_glue_trigger | x | |
| aws_glue_workflow | x | |
| guardduty | ||
| aws_guardduty_detector | x | |
| iam | ||
| aws_iam_access_key | x | |
| aws_iam_account_alias | ||
| aws_iam_group | x | |
| aws_iam_instance_profile | x | |
| aws_iam_policy | x | |
| aws_iam_role | x | x |
| aws_iam_server_certificate | ||
| aws_iam_service_linked_role | x | |
| aws_iam_user | x | x |
| imagebuilder | ||
| aws_imagebuilder_component | x | |
| aws_imagebuilder_distribution_configuration | x | |
| aws_imagebuilder_infrastructure_configuration | x | |
| iot | ||
| aws_iot_certificate | x | |
| aws_iot_policy | ||
| aws_iot_role_alias | ||
| aws_iot_thing | ||
| aws_iot_thing_type | ||
| aws_iot_topic_rule | x | |
| kafka | ||
| aws_msk_cluster | x | x |
| aws_msk_configuration | x | |
| kinesis | ||
| aws_kinesis_stream | x | |
| kinesisanalytics | ||
| aws_kinesis_analytics_application | x | |
| kinesisanalyticsv2 | ||
| aws_kinesisanalyticsv2_application | x | |
| kms | ||
| aws_kms_external_key | x | |
| aws_kms_key | x | |
| lambda | ||
| aws_lambda_event_source_mapping | ||
| aws_lambda_function | x | |
| lexmodelbuildingservice | ||
| aws_lex_bot | ||
| aws_lex_intent | ||
| aws_lex_slot_type | ||
| licensemanager | ||
| aws_licensemanager_license_configuration | x | |
| lightsail | ||
| aws_lightsail_domain | ||
| aws_lightsail_instance | x | |
| aws_lightsail_key_pair | ||
| aws_lightsail_static_ip | ||
| mediaconvert | ||
| aws_media_convert_queue | x | |
| mediapackage | ||
| aws_media_package_channel | x | |
| mediastore | ||
| aws_media_store_container | x | x |
| mq | ||
| aws_mq_broker | x | |
| aws_mq_configuration | x | |
| neptune | ||
| aws_neptune_event_subscription | x | |
| opsworks | ||
| aws_opsworks_stack | x | |
| aws_opsworks_user_profile | ||
| qldb | ||
| aws_qldb_ledger | x | |
| rds | ||
| aws_db_event_subscription | x | |
| aws_db_instance | x | x |
| aws_db_parameter_group | x | |
| aws_db_proxy | x | |
| aws_db_security_group | x | |
| aws_db_snapshot | x | x |
| aws_db_subnet_group | x | |
| aws_rds_cluster | x | |
| aws_rds_cluster_endpoint | x | |
| aws_rds_cluster_parameter_group | x | |
| aws_rds_global_cluster | ||
| redshift | ||
| aws_redshift_cluster | x | |
| aws_redshift_event_subscription | x | |
| aws_redshift_parameter_group | x | |
| aws_redshift_security_group | ||
| aws_redshift_snapshot_copy_grant | x | |
| aws_redshift_snapshot_schedule | x | |
| aws_redshift_subnet_group | x | |
| route53 | ||
| aws_route53_health_check | x | |
| aws_route53_zone | x | |
| route53resolver | ||
| aws_route53_resolver_endpoint | x | x |
| aws_route53_resolver_rule | x | |
| aws_route53_resolver_rule_association | ||
| s3 | ||
| aws_s3_bucket | x | x |
| sagemaker | ||
| aws_sagemaker_code_repository | x | |
| aws_sagemaker_endpoint | x | x |
| aws_sagemaker_model | x | x |
| secretsmanager | ||
| aws_secretsmanager_secret | x | |
| securityhub | ||
| aws_securityhub_action_target | ||
| servicecatalog | ||
| aws_servicecatalog_portfolio | x | x |
| servicediscovery | ||
| aws_service_discovery_service | x | x |
| ses | ||
| aws_ses_active_receipt_rule_set | ||
| aws_ses_configuration_set | ||
| aws_ses_domain_identity | ||
| aws_ses_email_identity | ||
| aws_ses_receipt_filter | ||
| aws_ses_receipt_rule_set | ||
| aws_ses_template | ||
| sfn | ||
| aws_sfn_activity | x | x |
| aws_sfn_state_machine | x | x |
| simpledb | ||
| aws_simpledb_domain | ||
| sns | ||
| aws_sns_platform_application | ||
| aws_sns_topic | x | |
| aws_sns_topic_subscription | ||
| sqs | ||
| aws_sqs_queue | x | |
| ssm | ||
| aws_ssm_activation | x | |
| aws_ssm_association | ||
| aws_ssm_document | x | |
| aws_ssm_maintenance_window | x | |
| aws_ssm_parameter | x | |
| aws_ssm_patch_baseline | x | |
| aws_ssm_patch_group | ||
| aws_ssm_resource_data_sync | ||
| storagegateway | ||
| aws_storagegateway_gateway | x | |
| transfer | ||
| aws_transfer_server | x | |
| waf | ||
| aws_waf_byte_match_set | ||
| aws_waf_geo_match_set | ||
| aws_waf_ipset | ||
| aws_waf_rate_based_rule | x | |
| aws_waf_regex_match_set | ||
| aws_waf_regex_pattern_set | ||
| aws_waf_rule | x | |
| aws_waf_rule_group | x | |
| aws_waf_size_constraint_set | ||
| aws_waf_sql_injection_match_set | ||
| aws_waf_web_acl | x | |
| aws_waf_xss_match_set | ||
| wafregional | ||
| aws_wafregional_byte_match_set | ||
| aws_wafregional_geo_match_set | ||
| aws_wafregional_ipset | ||
| aws_wafregional_rate_based_rule | x | |
| aws_wafregional_regex_match_set | ||
| aws_wafregional_regex_pattern_set | ||
| aws_wafregional_rule | x | |
| aws_wafregional_rule_group | x | |
| aws_wafregional_size_constraint_set | ||
| aws_wafregional_sql_injection_match_set | ||
| aws_wafregional_web_acl | x | |
| aws_wafregional_xss_match_set | ||
| wafv2 | ||
| aws_wafv2_web_acl_logging_configuration | ||
| worklink | ||
| aws_worklink_fleet | x | |
| workspaces | ||
| aws_workspaces_directory | x | |
| aws_workspaces_ip_group | x | |
| aws_workspaces_workspace | x | |
| xray | ||
| aws_xray_group | x |
Acceptance tests
IMPORTANT: Acceptance tests create real resources that might cost you money. Also, note that if you contribute aPR, the Travis build will always fail since AWS credentials are notinjected into the PR build coming from forks for security reasons. You can either run tests locally against yourpersonal AWS account or ask me to run them for you instead.
Run all acceptance tests with
AWS_PROFILE=<myaccount> AWS_DEFAULT_REGION=us-west-2 make test-all
or to test the working of AWSweeper for a just single resource, such as aws_vpc, use
AWS_PROFILE=<myaccount> AWS_DEFAULT_REGION=us-west-2 make test-all TESTARGS='-run=TestAcc_Vpc*'
Disclaimer
You are using this tool at your own risk! I will not take responsibility if you delete any critical resources in yourproduction environments.