Ignore security hub in aws-nuke

Question

I have this outcome of the initial execution of aws-nuke

aws-nuke version 2.23.0 - 2023-06-20 - 58e46275b36028007cc3f50334aa74d6e3e7990a

Do you really want to nuke the account with the ID 072882739882 and the alias 'sbx-engineering'?
Waiting 1s before continuing.
eu-central-1 - EC2VPC - vpc-01ab21542c23436bd - [ID: "vpc-01ab21542c23436bd", IsDefault: "false", OwnerID: "072882739882", tag:Name: "evaplatform-vpc", tag:account: "072882739882", tag:created-by: "terraform", tag:environment: "global", tag:project: "platform", tag:region: "eu-central-1", tag:stack_name: "vpc"] - filtered by config
eu-central-1 - CloudWatchEventsRule - Rule: aws-controltower-ConfigComplianceChangeEventRule - filtered by config
eu-central-1 - CloudWatchEventsRule - Rule: nonprod-cwlogs-delivery-euce1-lambda-event-rule - filtered by config
eu-central-1 - AthenaWorkGroup - primary - [ARN: "arn:aws:athena:eu-central-1:072882739882:workgroup/primary", Name: "primary"] - cannot delete primary athena work group
eu-central-1 - EC2InternetGatewayAttachment - igw-0bcb59f51be0bf3f5 -> vpc-01ab21542c23436bd - [DefaultVPC: "false", tag:igw:Name: "evaplatform-vpc", tag:igw:account: "072882739882", tag:igw:created-by: "terraform", tag:igw:environment: "global", tag:igw:project: "platform", tag:igw:region: "eu-central-1", tag:igw:stack_name: "vpc", tag:vpc:Name: "evaplatform-vpc", tag:vpc:account: "072882739882", tag:vpc:created-by: "terraform", tag:vpc:environment: "global", tag:vpc:project: "platform", tag:vpc:region: "eu-central-1", tag:vpc:stack_name: "vpc"] - filtered by config
eu-central-1 - SecurityHub - [Arn: "arn:aws:securityhub:eu-central-1:072882739882:hub/default"] - would remove
eu-central-1 - OpsWorksUserProfile - arn:aws:sts::072882739882:assumed-role/AWSReservedSSO_AdministratorAccess_4c7e60a81c403a90/alexis.sanchez@eva.global - Cannot delete OpsWorksUserProfile of calling User
eu-central-1 - EC2NATGateway - nat-054680e6c063722eb - [tag:Name: "evaplatform-vpc-eu-central-1a", tag:account: "072882739882", tag:created-by: "terraform", tag:environment: "global", tag:project: "platform", tag:region: "eu-central-1", tag:stack_name: "vpc"] - filtered by config
eu-central-1 - CloudTrailTrail - aws-controltower-BaselineCloudTrail - [Name: "aws-controltower-BaselineCloudTrail"] - filtered by config

I manage with the output filter almost all the resources, this resources must stay, but now I need to filter the securityhub

eu-central-1 - SecurityHub - [Arn: "arn:aws:securityhub:eu-central-1:072882739123:hub/default"] - would remove

How can I filter the security hub?? what changes shall I make?

Answer 1

To filter out certain resources from being targeted by aws-nuke, you'll need to modify its configuration file. This configuration file allows you to specify which resources to preserve (by not nuking them) based on various criteria like the resource's type, region, and certain tags.

To filter out the SecurityHub in the eu-central-1 region from being removed, you can add a filter to the configuration file. Here's how you can do it:

1. Find the configuration file you're using with aws-nuke. This should be a YAML file. If you're not sure, look at the command you're using to run aws-nuke. It's typically specified with the -c option.

2. Open the file with a text editor.

3. Add a new filter for the SecurityHub resource. This will tell aws-nuke to ignore (i.e., preserve) the specified SecurityHub resources in eu-central-1.

   Here's an example filter:

   filters:
     SecurityHub:
       - property: "Arn"
         type: "contains"
         value: "arn:aws:securityhub:eu-central-1:"
   

   This filter will preserve any SecurityHub resources in the eu-central-1 region.

4. Save the file after adding the filter.

5. Run aws-nuke again using the updated configuration file. It should now preserve the SecurityHub resources as specified by the filter.