$ shellfirm
Protection Coverage

AWS

Protection patterns for AWS CLI operations including EC2, S3, RDS, IAM, and CloudFormation

The aws check group covers destructive AWS CLI operations that can terminate instances, delete data, and remove cloud infrastructure.

AWS checks

S3 remove bucket

IDaws:s3_remove_bucket
SeverityHigh
Alternativeaws s3 ls s3://<bucket> -- list bucket contents first to verify what would be deleted
# Triggers
aws s3 rb s3://my-bucket
aws s3 rb s3://my-bucket --force

S3 recursive delete

IDaws:s3_recursive_delete
SeverityHigh
FilterNotContains --dryrun
# Triggers
aws s3 rm s3://my-bucket/data/ --recursive

# Does NOT trigger
aws s3 rm s3://my-bucket/data/ --recursive --dryrun

EC2 terminate instances

IDaws:ec2_terminate
SeverityHigh
Alternativeaws ec2 stop-instances -- stop instead of terminate to preserve the instance for later restart
# Triggers
aws ec2 terminate-instances --instance-ids i-1234567890abcdef0

RDS delete instance

IDaws:rds_delete
SeverityHigh
Alternativeaws rds delete-db-instance --skip-final-snapshot=false --final-db-snapshot-identifier <name> -- create a final snapshot before deletion
# Triggers
aws rds delete-db-instance --db-instance-identifier my-database

IAM delete

IDaws:iam_delete
SeverityHigh

Covers deletion of IAM users, roles, policies, and groups.

# Triggers
aws iam delete-user --user-name admin
aws iam delete-role --role-name my-role
aws iam delete-policy --policy-arn arn:aws:iam::123456789:policy/my-policy
aws iam delete-group --group-name developers

CloudFormation delete stack

IDaws:cfn_delete_stack
SeverityHigh
# Triggers
aws cloudformation delete-stack --stack-name my-infrastructure

Route53 delete hosted zone

IDaws:route53_delete_zone
SeverityHigh
# Triggers
aws route53 delete-hosted-zone --id Z1234567890

EKS delete cluster

IDaws:eks_delete_cluster
SeverityHigh
# Triggers
aws eks delete-cluster --name my-cluster

Lambda delete function

IDaws:lambda_delete
SeverityHigh
# Triggers
aws lambda delete-function --function-name my-function

DynamoDB delete table

IDaws:dynamodb_delete_table
SeverityHigh
# Triggers
aws dynamodb delete-table --table-name mytable

SQS delete queue

IDaws:sqs_delete_queue
SeverityHigh
# Triggers
aws sqs delete-queue --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/myqueue

SNS delete topic

IDaws:sns_delete_topic
SeverityHigh
# Triggers
aws sns delete-topic --topic-arn arn:aws:sns:us-east-1:123456789012:mytopic

ECR delete repository

IDaws:ecr_delete_repository
SeverityHigh
# Triggers
aws ecr delete-repository --repository-name myrepo
aws ecr delete-repository --repository-name myrepo --force

Secrets Manager delete secret

IDaws:secretsmanager_delete
SeverityHigh
# Triggers
aws secretsmanager delete-secret --secret-id mysecret

ElastiCache delete cluster

IDaws:elasticache_delete_cluster
SeverityHigh
# Triggers
aws elasticache delete-cache-cluster --cache-cluster-id mycluster

CloudWatch delete log group

IDaws:logs_delete_log_group
SeverityHigh
# Triggers
aws logs delete-log-group --log-group-name /aws/lambda/myfunc

ECS delete service/cluster

IDaws:ecs_delete
SeverityHigh
# Triggers
aws ecs delete-service --cluster mycluster --service myservice
aws ecs delete-cluster --cluster mycluster

Summary table

IDCommandSeverityFilterAlternative
aws:s3_remove_bucketaws s3 rbHigh--aws s3 ls
aws:s3_recursive_deleteaws s3 rm --recursiveHighNotContains --dryrun--
aws:ec2_terminateaws ec2 terminate-instancesHigh--aws ec2 stop-instances
aws:rds_deleteaws rds delete-db-instanceHigh--Final snapshot variant
aws:iam_deleteaws iam delete-(user|role|policy|group)High----
aws:cfn_delete_stackaws cloudformation delete-stackHigh----
aws:route53_delete_zoneaws route53 delete-hosted-zoneHigh----
aws:eks_delete_clusteraws eks delete-clusterHigh----
aws:lambda_deleteaws lambda delete-functionHigh----
aws:dynamodb_delete_tableaws dynamodb delete-tableHigh----
aws:sqs_delete_queueaws sqs delete-queueHigh----
aws:sns_delete_topicaws sns delete-topicHigh----
aws:ecr_delete_repositoryaws ecr delete-repositoryHigh----
aws:secretsmanager_deleteaws secretsmanager delete-secretHigh----
aws:elasticache_delete_clusteraws elasticache delete-cache-clusterHigh----
aws:logs_delete_log_groupaws logs delete-log-groupHigh----
aws:ecs_deleteaws ecs delete-(service|cluster)High----

Kubernetes

Protection patterns for kubectl operations including namespace deletion, resource management, and rollouts

Azure & GCP

Protection patterns for Azure CLI and Google Cloud CLI operations

On this page

AWS checksS3 remove bucketS3 recursive deleteEC2 terminate instancesRDS delete instanceIAM deleteCloudFormation delete stackRoute53 delete hosted zoneEKS delete clusterLambda delete functionDynamoDB delete tableSQS delete queueSNS delete topicECR delete repositorySecrets Manager delete secretElastiCache delete clusterCloudWatch delete log groupECS delete service/clusterSummary table