vault/enos/ci/aws-nuke.yml

# Copyright IBM Corp. 2016, 2025
# SPDX-License-Identifier: BUSL-1.1

regions:
  # REGION replaced in CI
  - REGION

# A blocklist must exist for the tool to run so we set it to a non-existant
# account.
blocklist:
 - 1234567890

accounts:
  # replaced in CI
  ACCOUNT_NUM:
    presets:
      - default
      - olderthan
      - honeybee
      - enos
      - wiz

settings:
  EC2Instance:
    DisableStopProtection: true
    DisableDeletionProtection: true
  RDSInstance:
    DisableDeletionProtection: true

presets:
  default:
    # Ignores default VPC resources
    filters:
      # NOTE: These values are strings not bools so they must stay quoted
      EC2VPC:
        - property: IsDefault
          value: "true"
      EC2RouteTable:
        - property: DefaultVPC
          value: "true"
      EC2DHCPOption:
        - property: DefaultVPC
          value: "true"
      EC2InternetGateway:
        - property: DefaultVPC
          value: "true"
      EC2Subnet:
        - property: DefaultVPC
          value: "true"
      EC2InternetGatewayAttachment:
        - property: DefaultVPC
          value: "true"

  olderthan:
    # Filters resources by age (when available)
    # TIME_LIMIT replaced in CI
    filters:
      EC2Instance:
        - type: dateOlderThanNow
          property: LaunchTime
          value: -TIME_LIMIT
          invert: true
      ELBv2:
        - type: dateOlderThanNow
          property: CreatedTime
          value: -TIME_LIMIT
          invert: true
      IAMUser:
        - type: dateOlderThanNow
          property: CreateDate
          value: -TIME_LIMIT
          invert: true
      IAMInstanceProfile:
        - type: dateOlderThanNow
          # Instance profiles don't record a create time
          # The enos/modules/target_ec2_instances module will set this tag for us
          property: tag:CreateTime
          value: -TIME_LIMIT
          invert: true
      IAMInstanceProfileRole:
        - type: dateOlderThanNow
          property: role:CreateDate
          value: -TIME_LIMIT
          invert: true
      IAMRole:
        - type: dateOlderThanNow
          property: CreateDate
          value: -TIME_LIMIT
          invert: true
      IAMRolePolicyAttachment:
        - type: dateOlderThanNow
          property: RoleCreateDate
          value: -TIME_LIMIT
          invert: true
      IAMUserAccessKey:
        - type: dateOlderThanNow
          property: CreateDate
          value: -TIME_LIMIT
          invert: true
      RDSInstance:
        - type: dateOlderThanNow
          property: InstanceCreateTime
          value: -TIME_LIMIT
          invert: true

  honeybee:
    # Cloudsec
    filters:
      IAMRole:
        - property: tag:hc-config-as-code
          value: "honeybee"
        - property: Name
          type: glob
          value: "vault-assumed-role-credentials-demo"
      IAMRolePolicy:
        - property: tag:role:hc-config-as-code
          value: "honeybee"
        - property: role:RoleName
          type: glob
          value: "vault-assumed-role-credentials-demo"
      IAMRolePolicyAttachment:
        - property: tag:role:hc-config-as-code
          value: "honeybee"
        - property: Name
          type: glob
          value: "vault-assumed-role-credentials-demo"

  enos:
    # Existing CI to be cleaned up later
    filters:
      LambdaFunction:
        - property: Name
          value: "enos_cleanup"
      IAMRole:
        - property: Name
          type: glob
          value: "github_actions-*"
        - property: Name
          value: "rds-monitoring-role"
      IAMRolePolicy:
        - property: role:RoleName
          type: glob
          value: "github_actions*"
        - property: role:RoleName
          type: glob
          value: "rds-*"
      IAMRolePolicyAttachment:
        - "rds-monitoring-role -> AmazonRDSEnhancedMonitoringRole"
      IAMUser:
        - type: glob
          value: github_actions-vault_*
      IAMUserAccessKey:
        - property: UserName
          type: glob
          value: github_actions-vault_*
      IAMUserPolicy:
        - "github_actions-vault_ci -> AssumeServiceUserRole"
        - "github_actions-vault_enterprise_ci -> AssumeServiceUserRole"

  wiz:
    filters:
      __global__:
        - property: tag:wiz
          value: "auto-gen-cmk"
      EC2Snapshot:
        - property: Description
          type: glob
          value: '*Wiz*'
      KMSAlias:
        - property: Name
          type: glob
          value: "alias/wizKey"

resource-types:
  # Run against everything, excluding these:
  excludes:
    # Avoid cloudsec things
    - IAMPolicy
    - S3Object
    - S3Bucket
    - EC2KeyPair
    - CloudWatchEventsTarget
    - CloudWatchEventsRule
    - CloudWatchLogsLogGroup
    - ConfigServiceConfigurationRecorder
    - ConfigServiceConfigRule
    - ConfigServiceDeliveryChannel
    - CloudTrailTrail
    - RDSSnapshot
    - RDSClusterSnapshot
    - WAFWebACL
    - WAFv2WebACL
    - WAFRegionalWebACL
    - GuardDutyDetector

    # Unused services, filtering these speeds up runs and
    # removes errors about things we don't have enabled
    - AccessAnalyzer
    - AccessAnalyzerArchiveRule
    - ACMCertificate
    - ACMPCACertificateAuthority
    - ACMPCACertificateAuthorityState
    - AMGWorkspace
    - AmplifyApp
    - AMPScraper
    - AMPWorkspace
    - APIGatewayAPIKey
    - APIGatewayClientCertificate
    - APIGatewayDomainName
    - APIGatewayRestAPI
    - APIGatewayUsagePlan
    - APIGatewayV2API
    - APIGatewayV2VpcLink
    - APIGatewayVpcLink
    - AWS::AppFlow::ConnectorProfile
    - AWS::AppFlow::Flow
    - AWS::AppRunner::Service
    - AWS::ApplicationInsights::Application
    - AWS::Backup::Framework
    - AWS::ECR::PullThroughCacheRule
    - AWS::ECR::RegistryPolicy
    - AWS::ECR::ReplicationConfiguration
    - AWS::MWAA::Environment
    - AWS::NetworkFirewall::Firewall
    - AWS::NetworkFirewall::FirewallPolicy
    - AWS::NetworkFirewall::RuleGroup
    - AWS::Synthetics::Canary
    - AWS::Timestream::Database
    - AWS::Timestream::ScheduledQuery
    - AWS::Timestream::Table
    - AWS::Transfer::Workflow
    - AppConfigApplication
    - AppConfigConfigurationProfile
    - AppConfigDeploymentStrategy
    - AppConfigEnvironment
    - AppConfigHostedConfigurationVersion
    - ApplicationAutoScalingScalableTarget
    - AppMeshGatewayRoute
    - AppMeshMesh
    - AppMeshRoute
    - AppMeshVirtualGateway
    - AppMeshVirtualNode
    - AppMeshVirtualRouter
    - AppMeshVirtualService
    - AppRegistryApplication
    - AppRunnerConnection
    - AppRunnerService
    - AppStreamDirectoryConfig
    - AppStreamFleet
    - AppStreamFleetState
    - AppStreamImage
    - AppStreamImageBuilder
    - AppStreamImageBuilderWaiter
    - AppStreamStack
    - AppStreamStackFleetAttachment
    - AppSyncAPI
    - AppSyncAPIAssociation
    - AppSyncDomainName
    - AppSyncGraphqlAPI
    - ArchiveRule
    - AthenaDataCatalog
    - AthenaNamedQuery
    - AthenaPreparedStatement
    - AthenaWorkGroup
    - AutoScalingGroup
    - AutoScalingLaunchConfiguration
    - AutoScalingLifecycleHook
    - AutoScalingPlansScalingPlan
    - AWSBackupPlan
    - AWSBackupRecoveryPoint
    - AWSBackupSelection
    - AWSBackupVault
    - AWSBackupVaultAccessPolicy
    - BackupReportPlan
    - BackupVault
    - BatchComputeEnvironment
    - BatchComputeEnvironmentState
    - BatchJobQueue
    - BatchJobQueueState
    - BedrockAgent
    - BedrockAgentAlias
    - BedrockAgentCoreAgentRuntime
    - BedrockAgentCoreAPIKeyCredentialProvider
    - BedrockAgentCoreBrowser
    - BedrockAgentCoreCodeInterpreter
    - BedrockAgentCoreGateway
    - BedrockAgentCoreGatewayTarget
    - BedrockAgentCoreMemory
    - BedrockAgentCoreOauth2CredentialProvider
    - BedrockAgentCoreWorkloadIdentity
    - BedrockCustomModel
    - BedrockDataSource
    - BedrockEvaluationJob
    - BedrockFlowAlias
    - BedrockGuardrail
    - BedrockKnowledgeBase
    - BedrockModelCustomizationJob
    - BedrockModelInvocationLoggingConfiguration
    - BedrockPrompt
    - BedrockProvisionedModelThroughput
    - BillingCostandUsageReport
    - Budget
    - BudgetsBudget
    - Cloud9Environment
    - CloudDirectoryDirectory
    - CloudDirectorySchema
    - CloudFormationStack
    - CloudFormationStackSet
    - CloudFormationType
    - CloudFrontCachePolicy
    - CloudFrontDistribution
    - CloudFrontDistributionDeployment
    - CloudFrontFunction
    - CloudFrontKeyGroup
    - CloudFrontOriginAccessControl
    - CloudFrontOriginAccessIdentity
    - CloudFrontOriginRequestPolicy
    - CloudFrontPublicKey
    - CloudFrontResponseHeadersPolicy
    - CloudHSMV2Cluster
    - CloudHSMV2ClusterHSM
    - CloudSearchDomain
    - CloudWatchAlarm
    - CloudWatchAnomalyDetector
    - CloudWatchDashboard
    - CloudWatchEventsBuses
    - CloudWatchInsightRule
    - CloudWatchLogsDestination
    - CloudWatchLogsResourcePolicy
    - CloudWatchRUMApp
    - CodeArtifactDomain
    - CodeArtifactRepository
    - CodeBuildBuild
    - CodeBuildBuildBatch
    - CodeBuildProject
    - CodeBuildReport
    - CodeBuildReportGroup
    - CodeBuildSourceCredential
    - CodeCommitRepository
    - CodeDeployApplication
    - CodeDeployDeploymentConfig
    - CodeDeployDeploymentGroup
    - CodeGuruProfilingGroup
    - CodeGuruReviewerRepositoryAssociation
    - CodePipelineCustomActionType
    - CodePipelinePipeline
    - CodePipelineWebhook
    - CodeStarConnection
    - CodeStarNotification
    - CodeStarNotificationRule
    - CodeStarProject
    - CognitoIdentityPool
    - CognitoIdentityProvider
    - CognitoUserPool
    - CognitoUserPoolClient
    - CognitoUserPoolDomain
    - ComprehendDocumentClassifier
    - ComprehendDominantLanguageDetectionJob
    - ComprehendEndpoint
    - ComprehendEntitiesDetectionJob
    - ComprehendEntityRecognizer
    - ComprehendEventsDetectionJob
    - ComprehendKeyPhrasesDetectionJob
    - ComprehendPiiEntitiesDetectionJob
    - ComprehendSentimentDetectionJob
    - ComprehendTargetedSentimentDetectionJob
    - ConfigServiceConfigRule
    - ConfigServiceConfigurationRecorder
    - ConfigServiceConformancePack
    - ConfigServiceDeliveryChannel
    - DatabaseMigrationServiceCertificate
    - DatabaseMigrationServiceEndpoint
    - DatabaseMigrationServiceEventSubscription
    - DatabaseMigrationServiceReplicationInstance
    - DatabaseMigrationServiceReplicationTask
    - DatabaseMigrationServiceSubnetGroup
    - DataPipelinePipeline
    - DAXCluster
    - DAXParameterGroup
    - DAXSubnetGroup
    - DeviceFarmProject
    - DirectoryServiceDirectory
    - DocDBCluster
    - DocDBElasticCluster
    - DocDBEventSubscription
    - DocDBInstance
    - DocDBParameterGroup
    - DocDBSnapshot
    - DocDBSubnetGroup
    - DSQLCluster
    - DynamoDBBackup
    - DynamoDBTable
    - DynamoDBTableItem
    - EC2Address
    - EC2ClientVpnEndpoint
    - EC2ClientVpnEndpointAttachment
    - EC2CustomerGateway
    - EC2DefaultSecurityGroupRule
    - EC2DHCPOption
    - EC2Host
    - EC2Image
    - EC2InstanceConnectEndpoint
    - EC2PlacementGroup
    - EC2Snapshot
    - EC2TGW
    - EC2TGWAttachment
    - EC2TGWConnectPeer
    - EC2VerifiedAccessEndpoint
    - EC2VerifiedAccessGroup
    - EC2VerifiedAccessInstance
    - EC2VerifiedAccessTrustProvider
    - EC2VPCEndpoint
    - EC2VPCEndpointConnection
    - EC2VPCEndpointServiceConfiguration
    - EC2VPCPeeringConnection
    - EC2VPNConnection
    - ECRPublicRepository
    - ECRRepository
    - ECSCapacityProvider
    - ECSCluster
    - ECSClusterInstance
    - ECSService
    - ECSTask
    - ECSTaskDefinition
    - EFSFileSystem
    - EFSMountTarget
    - EKSCluster
    - EKSFargateProfile
    - EKSNodegroup
    - ElasticacheCacheCluster
    - ElasticacheCacheParameterGroup
    - ElasticacheReplicationGroup
    - ElasticacheSubnetGroup
    - ElasticacheUser
    - ElasticacheUserGroup
    - ElasticBeanstalkApplication
    - ElasticBeanstalkEnvironment
    - ElasticTranscoderPipeline
    - ElasticTranscoderPreset
    - EMRCluster
    - EMRSecurityConfiguration
    - ESDomain
    - FirehoseDeliveryStream
    - FMSNotificationChannel
    - FMSPolicy
    - FSxBackup
    - FSxFileSystem
    - GameLiftBuild
    - GameLiftFleet
    - GameLiftMatchmakingConfiguration
    - GameLiftMatchmakingRuleSet
    - GameLiftQueue
    - GlobalAccelerator
    - GlobalAcceleratorEndpointGroup
    - GlobalAcceleratorListener
    - GlueBlueprint
    - GlueClassifier
    - GlueConnection
    - GlueCrawler
    - GlueDatabase
    - GlueDataBrewDatasets
    - GlueDataBrewJobs
    - GlueDataBrewProjects
    - GlueDataBrewRecipe
    - GlueDataBrewRulesets
    - GlueDataBrewSchedules
    - GlueDevEndpoint
    - GlueJob
    - GlueMLTransform
    - GlueSecurityConfiguration
    - GlueSession
    - GlueTrigger
    - GlueWorkflow
    - IAMAccountSettingPasswordPolicy
    - IAMGroup
    - IAMGroupPolicy
    - IAMGroupPolicyAttachment
    - IAMOpenIDConnectProvider
    - IAMRolesAnywhereCRL
    - IAMRolesAnywhereProfile
    - IAMRolesAnywhereTrustAnchor
    - IAMSAMLProvider
    - IAMServerCertificate
    - IAMServiceSpecificCredential
    - IAMSigningCertificate
    - ImageBuilderComponent
    - ImageBuilderDistributionConfiguration
    - ImageBuilderImage
    - ImageBuilderInfrastructureConfiguration
    - ImageBuilderPipeline
    - ImageBuilderRecipe
    - Inspector2
    - InspectorAssessmentRun
    - InspectorAssessmentTarget
    - InspectorAssessmentTemplate
    - IoTAuthorizer
    - IoTCACertificate
    - IoTCertificate
    - IoTJob
    - IoTOTAUpdate
    - IoTPolicy
    - IoTRoleAlias
    - IoTSiteWiseAccessPolicy
    - IoTSiteWiseAsset
    - IoTSiteWiseAssetModel
    - IoTSiteWiseDashboard
    - IoTSiteWiseGateway
    - IoTSiteWisePortal
    - IoTSiteWiseProject
    - IoTStream
    - IoTThing
    - IoTThingGroup
    - IoTThingType
    - IoTThingTypeState
    - IoTTopicRule
    - IoTTwinMakerComponentType
    - IoTTwinMakerEntity
    - IoTTwinMakerScene
    - IoTTwinMakerSyncJob
    - IoTTwinMakerWorkspace
    - KendraIndex
    - KinesisAnalyticsApplication
    - KinesisStream
    - KinesisVideoProject
    - LakeFormationLocation
    - LakeFormationPermission
    - LakeFormationTag
    - LambdaEventSourceMapping
    - LambdaFunction
    - LambdaLayer
    - LexBot
    - LexIntent
    - LexModelBuildingServiceBotAlias
    - LexSlotType
    - LifecycleHook
    - LightsailDisk
    - LightsailDomain
    - LightsailInstance
    - LightsailKeyPair
    - LightsailLoadBalancer
    - LightsailStaticIP
    - MachineLearningBranchPrediction
    - MachineLearningDataSource
    - MachineLearningEvaluation
    - MachineLearningMLModel
    - Macie
    - ManagedBlockchainMember
    - MediaConvertJobTemplate
    - MediaConvertPreset
    - MediaConvertQueue
    - MediaLiveChannel
    - MediaLiveInput
    - MediaLiveInputSecurityGroup
    - MediaPackageChannel
    - MediaPackageOriginEndpoint
    - MediaStoreContainer
    - MediaStoreDataItems
    - MediaTailorConfiguration
    - MemoryDBACL
    - MemoryDBCluster
    - MemoryDBParameterGroup
    - MemoryDBSubnetGroup
    - MemoryDBUser
    - MGNApplication
    - MGNJob
    - MGNLaunchConfigurationTemplate
    - MGNReplicationConfigurationTemplate
    - MGNSourceServer
    - MGNWave
    - MobileProject
    - MQBroker
    - MSKCluster
    - MSKConfiguration
    - NeptuneCluster
    - NeptuneGraph
    - NeptuneInstance
    - NeptuneSnapshot
    - NetpuneSnapshot
    - NetworkFirewall
    - NetworkFirewallLoggingConfiguration
    - NetworkFirewallPolicy
    - NetworkFirewallRuleGroup
    - NetworkManagerConnectPeer
    - NetworkManagerCoreNetwork
    - NetworkManagerGlobalNetwork
    - NetworkManagerNetworkAttachment
    - OpsWorksApp
    - OpsWorksCMBackup
    - OpsWorksCMServer
    - OpsWorksCMServerState
    - OpsWorksInstance
    - OpsWorksLayer
    - OpsWorksUserProfile
    - OSCollection
    - OSDomain
    - OSPackage
    - OSPipeline
    - OSVPCEndpoint
    - PinpointApp
    - PinpointPhoneNumber
    - PipesPipe
    - PollyLexicon
    - QLDBLedger
    - QuickSightSubscription
    - QuickSightUser
    - RAMResourceShare
    - RedshiftCluster
    - RedshiftParameterGroup
    - RedshiftScheduledAction
    - RedshiftServerlessNamespace
    - RedshiftServerlessSnapshot
    - RedshiftServerlessWorkgroup
    - RedshiftSnapshot
    - RedshiftSnapshotSchedule
    - RedshiftSubnetGroup
    - RekognitionCollection
    - RekognitionDataset
    - RekognitionProject
    - ResourceExplorer2Index
    - ResourceExplorer2View
    - ResourceGroupGroup
    - RoboMakerDeploymentJob
    - RoboMakerFleet
    - RoboMakerRobot
    - RoboMakerRobotApplication
    - RoboMakerSimulationApplication
    - RoboMakerSimulationJob
    - Route53HealthCheck
    - Route53HostedZone
    - Route53Profile
    - Route53ProfileAssociation
    - Route53ResolverEndpoint
    - Route53ResolverFirewallDomainList
    - Route53ResolverFirewallRuleGroup
    - Route53ResolverQueryLogConfig
    - Route53ResolverRule
    - Route53ResourceRecordSet
    - Route53TrafficPolicy
    - RDSDBCluster
    - RDSDBClusterParameterGroup
    - RDSDBParameterGroup
    - RDSDBSubnetGroup
    - RDSEventSubscription
    - RDSInstance
    - RDSOptionGroup
    - RDSProxy
    - S3AccessGrantsGrant
    - S3AccessGrantsInstance
    - S3AccessGrantsLocation
    - S3AccessPoint
    - S3MultipartUpload
    - SageMakerApp
    - SageMakerDomain
    - SageMakerEndpoint
    - SageMakerEndpointConfig
    - SageMakerModel
    - SageMakerNotebookInstance
    - SageMakerNotebookInstanceLifecycleConfig
    - SageMakerNotebookInstanceState
    - SageMakerSpace
    - SageMakerUserProfiles
    - SchedulerSchedule
    - SecretsManagerSecret
    - SecurityHub
    - ServiceCatalogConstraintPortfolioAttachment
    - ServiceCatalogPortfolio
    - ServiceCatalogPortfolioProductAttachment
    - ServiceCatalogPortfolioShareAttachment
    - ServiceCatalogPrincipalPortfolioAttachment
    - ServiceCatalogProduct
    - ServiceCatalogProvisionedProduct
    - ServiceCatalogTagOption
    - ServiceCatalogTagOptionPortfolioAttachment
    - ServiceDiscoveryInstance
    - ServiceDiscoveryNamespace
    - ServiceDiscoveryService
    - SESConfigurationSet
    - SESIdentity
    - SESReceiptFilter
    - SESReceiptRuleSet
    - SESTemplate
    - SFNStateMachine
    - ShieldProtection
    - ShieldProtectionGroup
    - SignerSigningJob
    - SimpleDBDomain
    - SNSEndpoint
    - SNSPlatformApplication
    - SNSSubscription
    - SNSTopic
    - SQSQueue
    - SSMActivation
    - SSMAssociation
    - SSMDocument
    - SSMMaintenanceWindow
    - SSMParameter
    - SSMPatchBaseline
    - SSMQuickSetupConfigurationManager
    - SSMResourceDataSync
    - StorageGatewayFileShare
    - StorageGatewayGateway
    - StorageGatewayTape
    - StorageGatewayVolume
    - TextractAdapter
    - TextractAdapterVersion
    - TranscribeCallAnalyticsCategory
    - TranscribeCallAnalyticsJob
    - TranscribeLanguageModel
    - TranscribeMedicalTranscriptionJob
    - TranscribeMedicalVocabulary
    - TranscribeTranscriptionJob
    - TranscribeVocabulary
    - TranscribeVocabularyFilter
    - TransferServer
    - TransferServerUser
    - TransferWebApp
    - WAFRegionalByteMatchSet
    - WAFRegionalByteMatchSetIP
    - WAFRegionalIPSet
    - WAFRegionalIPSetIP
    - WAFRegionalRateBasedRule
    - WAFRegionalRateBasedRulePredicate
    - WAFRegionalRegexMatchSet
    - WAFRegionalRegexMatchTuple
    - WAFRegionalRegexPatternSet
    - WAFRegionalRegexPatternString
    - WAFRegionalRule
    - WAFRegionalRuleGroup
    - WAFRegionalRulePredicate
    - WAFRegionalWebACL
    - WAFRegionalWebACLRuleAttachment
    - WAFRule
    - WAFv2APIKey
    - WAFv2IPSet
    - WAFv2RegexPatternSet
    - WAFv2RuleGroup
    - WAFv2WebACL
    - WAFWebACL
    - WAFWebACLRuleAttachment
    - WorkLinkFleet
    - WorkSpacesWorkspace
    - XRayGroup
    - XRaySamplingRule