A tool to clean out your AWS account
Switch branches/tags
Nothing to show
Clone or download
jckuester Fix: kms key alias selection (#30)
* Extract print functionality from wipe function

* Don't select AWS managed key aliases
Latest commit a82b257 Nov 24, 2018



Release pipeline status Go Report Go Doc Software License

AWSweeper wipes out all (or parts) of the resources in your AWS account. Resources to be deleted can be filtered by their ID, tags or creation date using regular expressions declared in a yaml file (see config.yml).

AWSweeper can delete many, but not all resources yet. Your help supporting more resources is very much appreciated (please read this issue to see how easy it is). Note that AWSweeper is based on the cloud-agnostic Terraform API for deletion - so it's planned to support deleting Azure and Google Cloud Platform resources soon, too.

Happy erasing!

AWSweeper tutorial


Releases for your platform are here.


awsweeper [options] <config.yml>

To see options available run awsweeper --help.


Resources to be deleted are filtered by a yaml configuration. To learn how, have a look at the following example:

  - id: ^foo.*
      foo: bar
      bla: blub
      before: 2018-06-14
      after: 2018-10-28 12:28:39 +0000 
  - tags:
      foo: bar
       before: 2018-06-14

This config would delete all instances which ID matches ^foo.* and which have tags foo: bar and bla: blub and which have been created between 2018-10-28 12:28:39 +0000 UTC and 2018-06-14. Additionally, it would delete instances with tag foo: bar and which are older than 2018-06-14.

Furthermore, this config would delete all IAM roles, as there is no list of filters provided for this resource type.

The general syntax of the filter config is as follows:

<resource type>:
  # filter 1
  - id: <regex to filter by id>
      <key>: <regex to filter value>
      before: <timestamp> (optional)
      after: <timestamp> (optional)
  # filter 2
  - ...
<resource type>:

A more detailed description of the ways to filter resources:

1) All resources of a particular type

Terraform types are used to identify resources of a particular type (e.g., aws_security_group selects all resources that are security groups, aws_iam_role all roles, or aws_instance all EC2 instances).

In the example above, by simply adding security_group: (no further filters for IDs or tags), all security groups in your account would be deleted. Use the all.yml, to delete all (currently supported) resources.

2) By tags

You can narrow down on particular types of resources by the tags they have.

If most of your resources have tags, this is probably the best to filter them for deletion. But be aware: not all resources support tags and can be filtered this way.

In the example above, all EC2 instances are terminated that have a tag with key foo and value bar as well as bla and value blub.

3) By ID

You can narrow down on particular types of resources by filtering on their IDs.

To see what the IDs of your resources are (could be their name, ARN, a random number), run awsweeper in dry-run mode: awsweeper --dry-run all.yml. This way, nothing is deleted but all the IDs and tags of your resources are printed. Then, use this information to create the yaml file.

In the example above, all roles which name starts with foo are deleted (the ID of roles is their name).

4) By creation date

You can select resources by filtering on the date they have been created.

Dry-run mode

Use awsweeper --dry-run <config.yml> to only show what would be deleted. This way, you can fine-tune your yaml configuration until it works the way you want it to.

Supported resources

AWSweeper can currently delete many but not all of the existing types of AWS resources:

  • aws_ami
  • aws_autoscaling_group
  • aws_cloudformation_stack
  • aws_ebs_snapshot
  • aws_ebs_volume
  • aws_efs_file_system
  • aws_eip
  • aws_elb
  • aws_iam_group
  • aws_iam_instance_profile
  • aws_iam_policy
  • aws_iam_role
  • aws_iam_user
  • aws_instance
  • aws_internet_gateway
  • aws_key_pair
  • aws_kms_alias
  • aws_kms_key
  • aws_launch_configuration
  • aws_nat_gateway
  • aws_network_acl
  • aws_network_interface
  • aws_route53_zone
  • aws_route_table
  • aws_s3_bucket
  • aws_security_group
  • aws_subnet
  • aws_vpc
  • aws_vpc_endpoint

Note that the above list contains terraform types which must be used instead of AWS resource types to identify resources in the yaml configuration. The reason is that AWSweeper is build upon the already existing delete routines provided by the Terraform AWS provider.

Acceptance tests

WARNING: Running acceptance tests create real resources that might cost you money.

Run all acceptance tests with

make testacc

or use

make testacc TESTARGS='-run=TestAccVpc*'

to test the working of AWSweeper for a just single resource, such as aws_vpc.


This tool is thoroughly tested. However, you are using this tool at your own risk! I will not take any responsibility if you delete any critical resources in your production environments.