cloud-nuke v0.51.0: AWS Backup Plans and Dry Run for Defaults
The cloud-nuke project released version v0.51.0 on June 10, 2026, introducing support for AWS Backup plans and a new preview mode for default resource cleanup. This update also brings critical fixes for SageMaker endpoint deletion and IAM instance profile tagging. This release marks another step in making the tool more robust for automated environment cleanup in complex AWS accounts.
The full release notes and downloads are on the GitHub release page.
Support for AWS Backup and Improved Default Cleanup
Managing AWS Backup plans is a common pain point for engineers working in high churn sandbox accounts. The new backup-plan resource type allows cloud-nuke to identify and remove these plans automatically. AWS Backup plans are often left behind when the underlying resources like EBS volumes or RDS instances are deleted. These plans can continue to incur small costs or generate error logs when they attempt to back up non existent targets. By including backup-plan in the standard cleanup suite, the project ensures that the backup configuration is wiped as clean as the data itself.
Another significant addition in this release is the --dry-run flag for the defaults-aws command. The defaults-aws command is a specialized feature of cloud-nuke that targets the default VPCs, subnets, and internet gateways that AWS provisions in every region. For many organizations, these default resources represent a security risk or simply clutter up their networking maps. Previously, executing this command was a direct operation that modified the account immediately. With the introduction of the --dry-run flag in PR #1136, operators can now generate a detailed report of which resources will be removed without actually performing any deletions. This is especially useful for verifying that no critical infrastructure is accidentally using a default VPC before starting a destructive run.
Resolving SageMaker and IAM Dependency Issues
The maintainers have addressed a persistent issue involving SageMaker endpoints. When cleaning up machine learning environments, cloud-nuke previously attempted to delete endpoints directly. However, if an endpoint had associated inference components, the AWS API would return a ValidationException. This caused the cleanup process to stall and required manual intervention to clear the components before retrying the nuke operation. Release v0.51.0 solves this by implementing a proper dependency check. The tool now identifies any inference components linked to a SageMaker endpoint and ensures they are deleted and fully removed before the endpoint deletion call is made.
IAM instance profiles also received a reliability update in PR #1141. The project uses the cloud-nuke-excluded tag to allow users to protect specific resources from deletion. However, the standard ListInstanceProfiles call in the AWS SDK does not return tags for the profiles it lists. This led to a bug where excluded profiles were being nuked because the tool did not “see” their tags. The update forces cloud-nuke to perform an additional ListInstanceProfileTags call for every profile it encounters. This ensures that the exclusion logic is strictly followed for IAM resources, preventing the accidental deletion of profiles used by persistent build agents or management tools.
Reliability Improvements for Time Based Filters
Filtering resources by age is one of the most powerful features in cloud-nuke, typically invoked using the --older-than or --newer-than flags. These filters allow teams to say “delete everything older than one day” while keeping fresh experiments safe. However, a race condition existed for resources that were still in the process of being provisioned. Some AWS services report a nil creation time when a resource is in a pending or creating state.
In previous versions, these resources would sometimes be included in the deletion list because the time filter logic did not handle the nil value correctly. This meant that a resource created only minutes before a nuke run could be deleted if the AWS API had not yet populated its creation timestamp. Version v0.51.0 updates the logic to exclude any resource with a nil creation time whenever a time filter is active. This makes the tool significantly safer for users who run automated cleanup scripts frequently in busy accounts.
Where to get it
The v0.51.0 release is available now for multiple platforms. You can download the prebuilt binaries or browse the full source code on GitHub:
- Release v0.51.0 on GitHub
- cloud-nuke Repository
- Version Tag:
v0.51.0
The project continues to accept contributions for new resource types and bug fixes. If you encounter issues with a specific AWS service not being cleaned up correctly, consider opening an issue on the repository.