1

I am trying to clean up resources for my organization account using this AWS-Nuke Script

Here, How I have done using AWS Console,

  1. I have created an organization and added few member accounts in it.
  2. From Github repository, In aws-nuke-config.yaml , I have added my main account ID in blacklist.
  3. Then Uploaded this file in S3 Bucket.
  4. Created a stack using NukeStack.yaml and given ParentOuId from Organization
  5. Bucket Name mytestbucket1234
  6. AssumeRoleName as NukeRole

After this in Cloud Watch I modified schedule for 10minutes, In CloudTrail it says StartBuild AccessDenied.

"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::myAccountID:assumed-role/CloudWatchNukeScriptSchedule-nuke/91b9068c9b993c148bc0a29fb9275767 is not authorized to perform: codebuild:StartBuild on resource: arn:aws:codebuild:us-east-2:myAccountID:project/AccountNuker-nuke",

Can anyone tell me where I am missing in the setup?

Manish Goyal
  • 69
  • 1
  • 9
  • 2
    Reading the YAML policy at that GitHub repo, it indicates `us-west-2` throughout. I would assume that you need to change this to `*` for all regions or specifically set the region that you want (`us-east-2`). – jarmod Feb 06 '20 at 17:59
  • error is gone but script still not working like not cleaning resources.. – Manish Goyal Feb 06 '20 at 18:48
  • Because of the destructive nature of this tool, its default operation does not actually nuke resources You need to include `--no-dry-run`. – jarmod Feb 06 '20 at 19:47
  • still not working, I think some issue with setup – Manish Goyal Feb 07 '20 at 07:09
  • That looks like a very dangerous tool. If you lack the knowledge to configure it, I would advise against using it. – Dejan Peretin Feb 08 '20 at 13:25

0 Answers0