CLI Usage
February 27, 2026 ยท View on GitHub
Commands
| Command | Description |
|---|---|
cloud-nuke aws | Delete all resources (with confirmation prompt) |
cloud-nuke inspect-aws | Inspect resources without deleting |
cloud-nuke defaults-aws | Delete default VPCs and default security group rules |
cloud-nuke gcp | Delete GCP resources (with confirmation prompt) |
cloud-nuke inspect-gcp | Inspect GCP resources without deleting |
Flags
Filtering
| Flag | Description | Available in |
|---|---|---|
--region | Target specific regions (repeatable) | aws, inspect-aws, defaults-aws |
--exclude-region | Exclude regions (repeatable, mutually exclusive with --region) | aws, inspect-aws, defaults-aws |
--resource-type | Target specific resource types (repeatable) | aws, inspect-aws, gcp, inspect-gcp |
--exclude-resource-type | Exclude resource types (repeatable, mutually exclusive with --resource-type) | aws, inspect-aws, gcp, inspect-gcp |
--older-than | Only target resources older than duration (Go duration) | aws, inspect-aws, gcp, inspect-gcp |
--newer-than | Only target resources newer than duration | aws, inspect-aws, gcp, inspect-gcp |
--config | Path to config file for granular filtering | aws, gcp |
--exclude-first-seen | Exclude resources based on first-seen tag | aws, inspect-aws |
Execution
| Flag | Description | Available in |
|---|---|---|
--dry-run | Preview deletions without executing | aws, gcp |
--force | Skip confirmation prompt | aws, gcp, defaults-aws |
--timeout | Set execution timeout (e.g., 10m) | aws, gcp |
--sg-only | Only delete default security group rules, not VPCs | defaults-aws |
Output
| Flag | Description | Available in |
|---|---|---|
--log-level | Log verbosity: debug, info (default), warn, error, panic, fatal, trace. Also settable via LOG_LEVEL env var. | all |
--output-format | Output format: table (default), json | aws, inspect-aws, gcp, inspect-gcp |
--output-file | Write output to file instead of stdout | aws, inspect-aws, gcp, inspect-gcp |
--list-resource-types | List all supported resource type identifiers | aws, inspect-aws, gcp, inspect-gcp |
KMS
| Flag | Description | Available in |
|---|---|---|
--delete-unaliased-kms-keys | Delete KMS keys without aliases | aws |
--list-unaliased-kms-keys | List KMS keys without aliases | inspect-aws |
GCP
| Flag | Description | Available in |
|---|---|---|
--project-id | GCP project ID (required) | gcp, inspect-gcp |
Examples
# Nuke everything in specific regions
cloud-nuke aws --region us-east-1 --region us-west-2
# Nuke only EC2 and S3, skip confirmation
cloud-nuke aws --resource-type ec2 --resource-type s3 --force
# Dry run with config file
cloud-nuke aws --dry-run --config path/to/config.yaml
# Inspect with specific AWS profile
AWS_PROFILE=dev cloud-nuke inspect-aws --region us-east-1
# Nuke only default security group rules
cloud-nuke defaults-aws --sg-only
# JSON output to file
cloud-nuke inspect-aws --output-format json --output-file results.json
# Nuke GCP resources
cloud-nuke gcp --project-id my-project-id --resource-type compute-instance
CLI flags override config file options. If you pass
--resource-type s3but your config only defines rules forec2, only s3 is targeted.
Protect Resources with cloud-nuke-after Tag
Tag resources with cloud-nuke-after and an ISO 8601 date (e.g., 2024-07-09T00:00:00Z) to protect them from deletion until that date.
Note on Nuking VPCs
Cloud-nuke automatically removes VPC dependencies: Internet Gateways, Egress Only Internet Gateways, ENIs, VPC Endpoints, Subnets, Route Tables, Network ACLs, Security Groups, and DHCP Option Sets (dissociated only). Elastic IPs are cleaned up as a separate resource first.
All other VPC sub-resources must be cleaned up before nuking VPCs.
VPC cleanup may not fully complete on the first run due to AWS eventual consistency. If you see
InvalidParameterValue: Network interface is currently in use., wait 30 minutes and retry.