4

I'm learning to use aws-nuke to delete all the resources in my organization AWS account. I was able to successfully remove my personal resource in my own organization manage the nuking. Wondering will it works across organization? Let's say we have 2 different organizations. AWS Organizations management See Screenshot above.

Is it possible to have aws-nuke work across 2 different organizations when we have a Power-User or System Admin from organization B to manage the training account in organization. Here's a simplified version of the diagram.

simplified diagram for 2 AWS organizations

Jeff
  • 493
  • 3
  • 19
  • 3
    I don’t think it would work across organizations. The whole point is to have your own organization manage the AWS-Nuke. Might be best to contact the author who wrote it instead of spinning wheels alone. – JeffreyC Dec 13 '20 at 17:08
  • 1
    Thank you for your recommendation. How do I contact the author of aws-nuke? – Jeff Dec 13 '20 at 17:54
  • 3
    maybe I can reach out to svenwltr, as he is the author of aws-nuke – Jeff Dec 14 '20 at 00:38
  • 1
    Read through the README by aws-nuke, it does not elaborate on your case. But there's another article that shows something similar what you tried to achieve here https://www.1strategy.com/blog/2019/07/16/automated-clean-up-with-aws-nuke-in-multiple-accounts/ – JeffreyC Dec 14 '20 at 06:28

2 Answers2

4

I have used aws-nuke to manage my AWS organization accounts. You can definitely use cross-account roles for the task assuming that you already can run aws-nuke on your resources in your AWS account. What you can do inside your AWS account, you can do with cross-account roles except for a handful of AWS actions. The only issue will be the AWS cross-organization role will have to be too much permission and that is risky. AWS-nuke documentation says, such tool for AWS-nuke is very risky and destructive!

Linking AWS accounts via AWS Organization allows you to consolidate billing, use Service Control Policies, etc. It doesn't actually give any more capability than what you can do with Cross-Account Roles. You still would need to use those as SCP actually doesn't give you permission that IAM doesn't give you. So to answer your question, would you be able to do it with AWS Organizations?

Yes, if you use cross-account AWS role.

Would you be able to do it with other non-members too?

Yes, with cross-account roles. I am emphasizing cross-account roles here and reiterating, whatever you can do inside your AWS account, you can do with cross-account roles except for a handful of actions. That's my 2 cents would be just to use cross-account roles.

SeniorEngineer
  • 308
  • 1
  • 10
  • 1
    Reading on this answer. You are using aws-assume-role, I suppose you can perform actions from one account to another. So the diagram which it is shown above should work. Only problem here is that can aws-nuke assume the role and do it or not. I would reach out to the author of aws-nuke as I suggested on the original comment above – JeffreyC Dec 14 '20 at 05:49
  • 1
    Here's a doc for your reference I read about aws-assume-role: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html – JeffreyC Dec 14 '20 at 05:50
  • 1
    You can assume that IAM role via AWS cli, then in the config file for aws-nuke you can pass value for account in organization A and run it. In theory, it might be able to nuke everything from those AWS account across organization – JeffreyC Dec 14 '20 at 06:13
  • 1
    Here's an article here that seems to describe what you are doing: https://www.1strategy.com/blog/2019/07/16/automated-clean-up-with-aws-nuke-in-multiple-accounts/ It shows how to pass in the credentials and secrets, in order to enable aws sts assume-role example https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/ – JeffreyC Dec 14 '20 at 06:26
  • 1
    Those are very good suggestions! Thank you for adding those information. – SeniorEngineer Dec 14 '20 at 06:33
2

I was able to reach out to the author of aws-nuke and open a discussion page here

You have to setup cross account access and run aws-nuke for with assume role each account.

It is possible to have aws-nuke work across 2 different organizations when we have a System Admin from organization B to manage the training account in another organization (Organization A).

Jeff
  • 493
  • 3
  • 19