How to minimize accidental cloud cost in your AWS account

27 Mar, 2020
Xebia Background Header Wave

Last month I began on a new assignment. While waiting to get access to the customer’s Cloud environment, I started the work in my own AWS playground account. I made good progress and after a few days I could switch over. As I forgot to destroy the infrastructure, I ended up with a $1700 bill. To avoid this from happening every again, I automatically destroy all resources in my AWS account every day at 23:00 UTC. The functionality I created is extremely powerful and extremely dangerous. With a single command, you can wipe out entire production environments. So the use of this utility is entirely at your own risk!!!

What is in the stack?

In the core, it runs the aws-nuke utility which destroys all of the resources in your AWS account. The utility is packaged in a CloudFormation stack with the following components: A CloudWatch event schedules the CodeBuild project to run aws-nuke. aws-nuke destroys all resources in your AWS account. The configuration is stored in a corresponding codecommit repository. I use a CodeBuild project because it is very easy to run a Docker container in it and because the destruction can take a long time. The aws-nuke.yaml configuration ensures that it does not delete itself.

How do you install it?

To install the automated destructor of AWS accounts, type:

$ git clone
$ cd aws-account-destroyer
$ bin/deploy ENABLED
WARNING: you are about to install the AWS nuke in account 123456789012/mvanholsteijn

it will destroy the content of entire 123456789012/mvanholsteijn every day at 23:00, continue yes/no? yes
Waiting for changeset to be created..
Waiting for stack create/update to complete

The nuke is now in place, but not yet armed.

How do you arm it?

You arm it by pushing the aws-nuke configuration to the codecommit repository. Normally when you use aws-nuke on the command line, there are some safeties to avoid accidental destruction of accounts. It will not delete accounts without an alias, it will show you what it will delete and then prompts you to confirm. In this deployment, the manual protection is out of the window. To keep your job, I recommend to add all AWS accounts you truly care about to the aws-nuke.yaml.template blacklist:

# add ALL account id's that you definitely want to keep
  - account-id-1
  - account-id-2
  - account-id-3
  - ...

The accounts on the blacklist will not be deleted, even if accidentally specified it in the configuration. You can also add your own filters for resources you want to keep around. Ensure that you test the configuration before committing it, using the dry-run option of aws-nuke. Now you arm the nuke, by pushing the code to the codecommit repository in your target account:

$ git add aws-nuke.yaml.template
$ git commit -m 'account blacklist and filters'
$ git remote add aws codecommit://$AWS_PROFILE@aws-account-destroyer
$ git push -u aws master

Now, every night aws-nuke will destroy every resource in your account across the globe.


The aws-nuke utility is extremely useful to keep the lid on accidental cloud cost. This deployment makes it even more easy to use. But beware: it can just as easily be used to destroy your production account. So use with extreme caution!

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts