diff --git a/cmd/codebuild/reset/default-nuke-config-template.yml b/cmd/codebuild/reset/default-nuke-config-template.yml index 572ba1a4..7a8aa843 100755 --- a/cmd/codebuild/reset/default-nuke-config-template.yml +++ b/cmd/codebuild/reset/default-nuke-config-template.yml @@ -5,31 +5,320 @@ regions: # This significantly reduces the run time of nuke. {{range .Regions}} - "{{.}}" {{end}} -account-blacklist: + +account-blocklist: - "{{ .ParentAccountID}}" # Arbitrary production account id resource-types: excludes: - S3Object # Let the S3Bucket delete all Objects instead of individual objects (optimization) + - GuardDutyDetector # as it is part of the GuardDuty integration + - SecurityHub # same as GuardDuty accounts: "{{ .ID}}": # Child Account + presets: + - "sso" + - "controltower" + - "lza" filters: IAMPolicy: + # DCE resources - type: "contains" value: "{{ .PrincipalPolicy}}" IAMRole: + # DCE resources - "{{ .AdminRole}}" - "{{ .PrincipalRole}}" + # AWS Organizations resources + - type: "contains" + value: "OrganizationAccountAccessRole" IAMRolePolicy: + # DCE resources - type: "contains" value: "{{ .AdminRole}}" - type: "contains" value: "{{ .PrincipalRole}}" - type: "contains" value: "{{ .PrincipalPolicy}}" + - property: RoleName + value: "OrganizationAccountAccessRole" IAMRolePolicyAttachment: - # Do not remove the policy from the principal user role + # DCE resources - "{{ .PrincipalRole}} -> {{ .PrincipalPolicy}}" - property: RoleName value: "{{ .AdminRole}}" + # AWS Organizations resources + - property: RoleName + value: "OrganizationAccountAccessRole" + +presets: + sso: + filters: + IAMSAMLProvider: + - type: "regex" + value: "AWSSSO_.*_DO_NOT_DELETE" + IAMRole: + - type: "glob" + value: "AWSReservedSSO_*" + IAMRolePolicyAttachment: + - type: "glob" + value: "AWSReservedSSO_*" + IAMRolePolicy: + - type: "glob" + value: "AWSReservedSSO_*" + + controltower: + filters: + CloudTrailTrail: + - type: "contains" + value: "aws-controltower" + CloudWatchEventsRule: + - type: "contains" + value: "aws-controltower" + EC2VPCEndpoint: + - type: "contains" + value: "aws-controltower" + - property: tag:Name + type: "contains" + value: "aws-controltower" + EC2VPC: + - type: "contains" + value: "aws-controltower" + - property: tag:Name + type: contains + value: "aws-controltower" + OpsWorksUserProfile: + - type: "contains" + value: "AWSControlTowerExecution" + CloudWatchLogsLogGroup: + - type: "contains" + value: "aws-controltower" + - type: "contains" + value: "AWSControlTowerBP" + CloudWatchEventsTarget: + - type: "contains" + value: "aws-controltower" + SNSSubscription: + - type: "contains" + value: "aws-controltower" + SNSTopic: + - type: "contains" + value: "aws-controltower" + EC2Subnet: + - type: "contains" + value: "aws-controltower" + - property: tag:Name + type: "contains" + value: "aws-controltower" + ConfigServiceDeliveryChannel: + - type: "contains" + value: "aws-controltower" + ConfigServiceConfigurationRecorder: + - type: "contains" + value: "aws-controltower" + CloudFormationStack: + - type: "contains" + value: "AWSControlTower" + EC2RouteTable: + - type: "contains" + value: "aws-controltower" + - property: tag:Name + type: "contains" + value: "aws-controltower" + LambdaFunction: + - type: "contains" + value: "aws-controltower" + EC2DHCPOption: + - type: "contains" + value: "aws-controltower" + - property: tag:Name + type: "contains" + value: "aws-controltower" + IAMRole: + - type: "contains" + value: "aws-controltower" + - type: "contains" + value: "AWSControlTower" + IAMRolePolicyAttachment: + - type: "contains" + value: "aws-controltower" + - type: "contains" + value: "AWSControlTower" + IAMRolePolicy: + - type: "contains" + value: "aws-controltower" + - type: "contains" + value: "AWSControlTower" + ConfigServiceConfigRule: + - type: "contains" + value: "securityhub" + + lza: + filters: + IAMRole: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + IAMPolicy: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + IAMRolePolicy: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - property: tag:role:Accelerator + type: "contains" + value: "AWSAccelerator" + IAMRolePolicyAttachment: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - property: tag:role:Accelerator + type: "contains" + value: "AWSAccelerator" + CloudWatchEventsRule: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + CloudWatchEventsTarget: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + SNSSubscription: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + KMSAlias: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + S3Bucket: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + KMSKey: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + AWSBackupVault: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + SNSTopic: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + ConfigServiceConfigRule: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + CloudWatchLogsLogGroup: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + LambdaFunction: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + CloudFormationStack: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator" + SSMParameter: + - type: "contains" + value: "AWSAccelerator" + - type: "contains" + value: "cdk-accel" + - type: "contains" + value: "aws-accelerator" + - property: tag:Accelerator + type: "contains" + value: "AWSAccelerator"