Hitman is an AWS account content killer specialist.
People often need to delete training, POC, learning AWS accounts. Hitman is here to do the job for you at a defined frequency. It ensures cost containment and security hardening.
Warning : pay an extreme attention to the account list to nuke ... and do not forget to blacklist the accounts you will never want to nuke.
Hitman is based on the great aws-nuke. It simply industrializes the deletion process thanks to the following AWS resources :
- CloudWatch Rule to trigger the deletion execution
- Batch to ensure a pay per use strategy
- ECR to host the Docker image that embeds aws-nuke
- one Lambda to gather the accounts to nuke and submit the jobs. The Lambda needs one "mode" parameter :
- list : collect a list of account stored in a S3 Bucket
- ou : all the accounts of a specified AWS OrganizationUnit will be nuked
- single : specify one single account to nuke.
- S3 to store the configuration file
- CloudWatch Logs to log the global activity
- no user, no password, no key to manage. Only roles.
- no incoming connections. No ssh access needed to compute environments.
Hitman needs :
- a VPC
- a private subnet with outgoing connectivity (for example NAT Gateway)
- deploy the cf-hitman-common.yml CloudFormation stack in the central account
- build, tag and push the Docker image. Follow the information provided in the ECR repository page.
- Depending of the chosen mode :
- add the list of accounts to nuke in accounts.list file and upload it in the S3 bucket
- configure the Organization Unit in the CloudWatch rule
- customize awsnuke-config-template.yaml :
- add in the blacklist part the accounts you will never want to nuke
- add the resources you to not want to delete. Keep the role by Hitman to delete resources and upload it in the created S3 bucket
- deploy the cf-hitman-batch.yml CloudFormation stack in the central account
- in each spoke account (or once with a Stackset), deploy cf-hitman-spoke-account.yml to spread IAM role to assume.
Do not forget a strong ExternalId like UUID.
Once configured, Hitman works autonomously. Awaiting a future improvement, it is possible to have a global view of all the nuke result with a simple CloudWatch Logs Insight request :
fields @message
| filter @message not like /Nuke on .*/