Last active
April 14, 2024 17:19
-
-
Save Defozo/1fae2714558e7e7ee355edd80dcb8687 to your computer and use it in GitHub Desktop.
A PowerShell script for systematic deletion of all ECS clusters, services, and task definitions across multiple AWS regions. Ideal for scenarios of AWS credential compromise leading to unauthorized ECS resource creation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AWS ECS Comprehensive Cleanup Script | |
| # | |
| # Description: | |
| # This PowerShell script is tailored for a thorough cleanup of Amazon Elastic Container Service (ECS) resources across multiple AWS regions. | |
| # It is particularly beneficial in instances where AWS credentials have been compromised, leading to the unauthorized and potentially | |
| # malicious creation of numerous ECS resources, including clusters, services, and task definitions. | |
| # | |
| # The script systematically automates the deletion process. It iterates over a predefined list of AWS regions, identifies and deletes | |
| # all ECS task definitions, then proceeds to identify all ECS clusters within each region, stops and deletes all services within those | |
| # clusters, and finally deletes the clusters themselves. | |
| # | |
| # Usage: | |
| # 1. Ensure AWS CLI is installed and configured. For AWS SSO configuration, refer to: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html. | |
| # 2. Set the `$profile` variable in the script to match your AWS CLI profile name, ensuring it has the necessary permissions. | |
| # 3. Run the script in PowerShell. | |
| # 4. Monitor the output for progress updates and error messages. | |
| # | |
| # Important Notes: | |
| # - This script executes irreversible actions and should be used with caution, particularly in production environments. | |
| # - Ensure backups of ECS configurations and data are maintained if needed. | |
| # - Be cognizant of AWS API rate limits and any constraints on your account status. | |
| # Define the AWS profile to use | |
| $profile = "your-profile" | |
| # Hardcode the list of AWS regions | |
| $regionArray = @( | |
| "ap-south-1", "eu-north-1", "eu-west-3", "eu-west-2", "eu-west-1", | |
| "ap-northeast-3", "ap-northeast-2", "ap-northeast-1", "ca-central-1", | |
| "sa-east-1", "ap-southeast-1", "ap-southeast-2", "eu-central-1", | |
| "us-east-1", "us-east-2", "us-west-1", "us-west-2" | |
| ) | |
| # Iterate over each region | |
| foreach ($region in $regionArray) { | |
| Write-Host "Processing region: $region" | |
| try { | |
| # List and deregister task definitions | |
| $taskDefs = aws ecs list-task-definitions --status ACTIVE --query "taskDefinitionArns" --output json --region $region --profile $profile | ConvertFrom-Json | |
| if ($taskDefs) { | |
| foreach ($taskDefArn in $taskDefs) { | |
| Write-Host "Deregistering task definition: $taskDefArn" | |
| aws ecs deregister-task-definition --task-definition $taskDefArn --region $region --profile $profile | Out-Null | |
| } | |
| } | |
| # List all ECS clusters in the region | |
| $clusters = aws ecs list-clusters --region $region --query "clusterArns" --output json --profile $profile | ConvertFrom-Json | |
| if ($clusters) { | |
| foreach ($clusterArn in $clusters) { | |
| $clusterName = $clusterArn -split "/" | Select-Object -Last 1 | |
| Write-Host "Processing cluster: $clusterName in region: $region" | |
| try { | |
| # List and delete services in the cluster | |
| $services = aws ecs list-services --cluster $clusterName --region $region --query "serviceArns" --output json --profile $profile | ConvertFrom-Json | |
| if ($services) { | |
| foreach ($serviceArn in $services) { | |
| $serviceName = $serviceArn -split "/" | Select-Object -Last 1 | |
| Write-Host "Stopping and deleting service: $serviceName in cluster: $clusterName" | |
| aws ecs update-service --cluster $clusterName --service $serviceName --desired-count 0 --region $region --profile $profile | Out-Null | |
| Start-Sleep -Seconds 10 # Wait for service update | |
| aws ecs delete-service --cluster $clusterName --service $serviceName --force --region $region --profile $profile | Out-Null | |
| } | |
| } | |
| # Delete the cluster | |
| Write-Host "Deleting cluster: $clusterName" | |
| aws ecs delete-cluster --cluster $clusterName --region $region --profile $profile | Out-Null | |
| } catch { | |
| Write-Host "Error processing cluster: $clusterName. Error: $_" | |
| } | |
| } | |
| } else { | |
| Write-Host "No clusters found in region: $region" | |
| } | |
| } catch { | |
| Write-Host "Error processing region: $region. Error: $_" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment