Nuking AWS Resources Safely with aws-nuke

August 3, 2025

This content originally appeared on DEV Community and was authored by Athreya aka Maneshwar

Hi there! I’m Maneshwar. Right now, I’m building LiveAPI, a first-of-its-kind tool that helps you automatically index API endpoints across all your repositories. LiveAPI makes it easier to discover, understand, and interact with APIs in large infrastructures.

Managing cloud resources across multiple AWS services and regions can quickly get messy, especially during development or testing.

If you need to safely and completely wipe out specific AWS resources across all regions, aws-nuke is one of the most efficient tools available.

This post walks through how to:

Configure aws-nuke to remove selected resource types
Execute a nuke with region-wide coverage
Bypass alias checks when working with non-production accounts

Step 1: Prepare Your `nuke-resources.yaml`

This configuration instructs aws-nuke to scan all regions, target only specific resources, and bypass the alias check for safety in test/dev accounts.

regions:
  - all

blocklist:
  - "000000000000" # dummy account

no-account-alias: true
no-blocklist-terms-default: true

accounts:
  "042000000000":
    presets: []

resource-types:
  includes:
    - ECRRepository
    - RDSDBSecurityGroup
    - GlacierVault
    - AppRunnerAutoScalingConfiguration
    - KMSKey
    - CloudTrailChannel
    - EventBus
    - ElastiCacheUser
    - ECSCapacityProvider
    - EC2SecurityGroupRule
    - EC2DHCPOption
    - EC2KeyPair
    - MemoryDBParameterGroup
    - MemoryDBUser
    - MemoryDBACL

bypass-alias-check-accounts:
  - "042000000000"

Step 2: Review with `explain-config`

Before you delete anything, review the plan with:

aws-nuke explain-config -c nuke-resources.yaml --profile default

This lets you confirm exactly which resource types are in scope.

Step 3: Run the Nuke

Once you’re sure, run the actual nuke with:

aws-nuke nuke --config nuke-resources.yaml --no-dry-run --no-alias-check --log-level debug

You’ll be prompted with a final safety confirmation. Since alias checks are bypassed, you’ll need to enter the alias shown (e.g., no-alias-042000000000) to proceed.

Notes

Only specified resource types are included. Everything else is untouched.
The --no-alias-check is useful for automation or dev accounts that don’t have aliases set up.
Always dry-run first unless you’re absolutely sure.

Conclusion

aws-nuke provides powerful control over AWS environments, making cleanup painless. With scoped includes and account safeguards, you can surgically nuke only what’s necessary — and sleep easy knowing production is safe.

LiveAPI helps you get all your backend APIs documented in a few minutes.

With LiveAPI, you can generate interactive API docs that allow users to search and execute endpoints directly from the browser.

If you’re tired of updating Swagger manually or syncing Postman collections, give it a shot.