awsdocs
diff --git a/‎.tools/test/stacks/nuke/typescript/Dockerfile‎
Lines changed: 0 additions & 9 deletions b/‎.tools/test/stacks/nuke/typescript/Dockerfile‎
Lines changed: 0 additions & 9 deletions
diff --git a/‎.tools/test/stacks/nuke/typescript/README.md‎
Lines changed: 3 additions & 7 deletions b/‎.tools/test/stacks/nuke/typescript/README.md‎
Lines changed: 3 additions & 7 deletions
diff --git a/‎.tools/test/stacks/nuke/typescript/nuke_generic_config.yaml‎
Lines changed: 12 additions & 27 deletions b/‎.tools/test/stacks/nuke/typescript/nuke_generic_config.yaml‎
Lines changed: 12 additions & 27 deletions
@@ -1,21 +1,12 @@
 FROM ghcr.io/ekristen/aws-nuke:v3.42.0
-
-# Set environment variables
 ENV AWS_SDK_LOAD_CONFIG=1 \
     AWS_DEBUG=true
-
-# Switch to root, install AWS CLI and cleanup in single layer
 USER root
 RUN apk add --no-cache \
     python3 \
     py3-pip \
     aws-cli
-
-# Copy configuration and script
 COPY nuke_generic_config.yaml /nuke_generic_config.yaml
 COPY --chmod=755 run.sh /run.sh
-
-# Switch back to non-root user for security
 USER aws-nuke
-
 ENTRYPOINT ["/run.sh"]
@@ -1,24 +1,20 @@
 
 # aws-nuke for Weathertop
 
-[aws-nuke](https://github.com/ekristen/aws-nuke) is an open-source tool that deletes resources in a provided AWS account that are not considered "Default" or "AWS-Managed".
-
-This tool is implemented using the Cloud Development Kit (CDK) script in this directory which deploy the [official aws-nuke image](https://github.com/ekristen/aws-nuke/pkgs/container/aws-nuke) to an AWS Lambda function.
+[aws-nuke](https://github.com/ekristen/aws-nuke) is an open-source tool that deletes non-default resources in a provided AWS account. It's implemented here in this directory using Cloud Development Kit (CDK) code that deploys the [official aws-nuke image](https://github.com/ekristen/aws-nuke/pkgs/container/aws-nuke) to an AWS Lambda function.
 
 ## ⚠ Important
 This is a very destructive tool! It should not be deployed without fully understanding the impact it will have on your AWS accounts.
 Please use caution and configure this tool to delete unused resources only in your lower test/sandbox environment accounts.
 
 ## Overview
 
-Defined in [account_nuker.ts](account_nuker.ts), this CDK stack deploys an AWS Lambda function that runs in a Docker container, scheduled to execute weekly via EventBridge.
-
-It includes:
+This CDK stack is defined in [account_nuker.ts](account_nuker.ts). It includes:
 - A Docker-based Lambda function with ARM64 architecture and 1GB memory
 - An IAM role with administrative permissions for the Lambda's nuking function 
 - An EventBridge rule that triggers the function every Sunday at midnight
 
-The Lambda function is built from a [Dockerfile](Dockerfile) and runs with a 15-minute timeout. It contains a [nuke_generic_config.yml](nuke_generic_config.yaml) config and executes a [run.sh](run.sh).
+More specifically, this Lambda function is built from a [Dockerfile](Dockerfile) and runs with a 15-minute timeout. It contains a [nuke_generic_config.yml](nuke_generic_config.yaml) config and executes a [run.sh](run.sh) when invoked every Sunday at midnight UTC.
 
 ![infrastructure-overview](nuke-overview.png)
 
 
@@ -66,7 +66,7 @@ resource-types:
     - SecretsManagerSecret
     - SQSQueue
     - SSMParameter
-    
+
 accounts:
   AWSACCOUNTID:
     filters:
@@ -107,65 +107,50 @@ accounts:
         - property: DetectorID
           type: glob
           value: "*"
-      CloudTrailTrail:
-        - type: regex
-          value: "^(AccountGuardian|Isengard).*DO-NOT-DELETE.*$"
       CloudWatchEventsRule:
         - type: regex
-          value: "^Rule: (AccountGuardian-.*DO-NOT-DELETE|AwsSecurity.*DO-NOT-DELETE|DO-NOT-DELETE-GatedGarden-.*)$"
+          value: "^Rule: (AwsSecurity.*)$"
       CloudWatchEventsTarget:
         - type: regex
-          value: "^Rule: (AccountGuardian-.*DO-NOT-DELETE.*|AwsSecurity.*DO-NOT-DELETE|DO-NOT-DELETE-GatedGarden-.*)$"
+          value: "^Rule: (AwsSecurity.*)$"
       CloudWatchLogsLogGroup:
         - type: regex
-          value: "^(AccountGuardian-).*$"
+          value: "^.*$"
       ConfigServiceDeliveryChannel:
-        - "pitbull-default"
+        - "default"
       ConfigServiceConfigRule:
         - type: regex
-          value: "^(managed-ec2-patch-compliance|ec2-managed-by-systems-manager-REMEDIATE|pvre-.*-REMEDIATE|.*-pvre-.*-REMEDIATE)$"
+          value: "^(managed-ec2-patch-compliance|ec2-managed-by-systems-manager-REMEDIATE)$"
       S3Bucket:
         - property: Name
           type: regex
-          value: "^(cdktoolkit-stagingbucket-.*|pitbull-aws-config-.*|cloudtrail-awslogs-.*-isengard-do-not-delete|do-not-delete-gatedgarden-audit-.*|aws-nuke.*)$"
+          value: "^(cdktoolkit-stagingbucket-.*|aws-nuke.*)$"
       S3Object:
         - property: Bucket
           type: regex
-          value: "^(cdktoolkit-stagingbucket-.*|pitbull-aws-config-.*|cloudtrail-awslogs-.*-isengard-do-not-delete|do-not-delete-gatedgarden-audit-.*|aws-nuke.*)$"
+          value: "^(cdktoolkit-stagingbucket-.*|aws-nuke.*)$"
       ConfigServiceConfigurationRecorder:
         - "MainRecorder"
       CloudFormationStack:
         - property: Name
           type: regex
-          value: "^(CDKToolkit|AccountGuardian|.*DO-NOT-DELETE)$"
+          value: "^(CDKToolkit)$"
         - property: Name
           type: regex
           value: "^(PluginStack|NukeStack)*$"
-        - property: Name
-          type: regex
-          value: "^(pvre.*|PVRE.*)$"
-        - property: Name
-          type: regex
-          value: "^(.*PatchBaseline.*)$"
       IAMPolicy:
         - property: Name
           type: regex
           value: "^(ConfigAccessPolicy|ResourceConfigurationCollectorPolicy|CloudFormationRefereeService|EC2CapacityReservationService|AwsSecurit.*AuditPolicy)$"
       IAMRole:
         - property: Name
           type: regex
-          value: "^(AWSServiceRoleFor.*|.*DO-NOT-DELETE|^Isengard.*|Admin|ReadOnly|GatedGarden.*Audit|ShadowTrooper.*|InternalAuditInternal|EC2CapacityReservationService|AccessAnalyzerTrustedService|EC2CapacityReservationService|AwsSecurit.*Audit|AWS.*Audit)$"
+          value: "^(AWSServiceRoleFor.*|Admin|ReadOnly|InternalAuditInternal|EC2CapacityReservationService|AccessAnalyzerTrustedService|AwsSecurit.*Audit|AWS.*Audit)$"
       IAMRolePolicy:
         - property: role:RoleName
           type: regex
-          value: "^(.*DO-NOT-DELETE|Isengard.*|GatedGarden.*Audit|AccountGuardian.*|ShadowTrooper.*|AccessAnalyzerTrustedService|AwsSecurit.*Audit)$"
+          value: "^(AccessAnalyzerTrustedService|AwsSecurit.*Audit)$"
       IAMRolePolicyAttachment:
         - property: RoleName
           type: regex
-          value: "^(Admin|ReadOnly|AWSServiceRoleFor.*|.*DO-NOT-DELETE|Isengard.*|InternalAuditInternal|EC2CapacityReservationService|AWSVAPTAudit|AwsSecurit.*Audit)$"
-      SSMDocument:
-        - type: regex
-          value: "^(AccountGuardian|Isengard).*DO-NOT-DELETE.*$"
-      SSMResourceDataSync:
-        - type: regex
-          value: "^(AccountGuardian|Isengard).*DO-NOT-DELETE.*$"
+          value: "^(Admin|ReadOnly|AWSServiceRoleFor.*|InternalAuditInternal|EC2CapacityReservationService|AWSVAPTAudit|AwsSecurit.*Audit)$"