diff --git a/.github/aws-nuke.yaml b/.github/aws-nuke.yaml
index cc6a2e0..ca83aa2 100644
--- a/.github/aws-nuke.yaml
+++ b/.github/aws-nuke.yaml
@@ -32,9 +32,29 @@ regions:
   - us-gov-east-1
   - us-gov-west-1
 
+
+resource-types:
+  # don't nuke IAM users
+  excludes:
+    - IAMUser
+    - IAMUserAccessKey
+    - IAMUserPolicyAttachment
+
 account-blocklist:
   - "999999999999" # production
 
 accounts:
   # testing account
-  126450723953: {}
+  126450723953:
+    presets:
+      - defaults
+
+presets:
+  defaults:
+    filters:
+      IAMRole:
+        - "OrganizationAccountAccessRole"
+      IAMRolePolicy:
+        - property: "role:RoleName"
+          type: "regex"
+          value: "^OrganizationAccountAccessRole$"