Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instances with Multiple Elastic Network Interfaces

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon EC2 instances are not using multiple Elastic Network Interfaces (ENIs) in order to prevent network security complications, unwanted network paths, and increased management complexity. EC2 instances should have the minimum network connectivity needed for their intended purpose.

This rule can help you work with the AWS Well-Architected Framework.

Security
Operational
excellence
Cost
optimisation

Amazon EC2 enables the attachment of one or more Elastic Network Interfaces (ENIs) to an EC2 instance. However, the intricacies linked with overseeing multiple ENIs for an EC2 instance tend to surpass the advantages. To sidestep the complexities of network security and the inadvertent establishment of undesired network pathways, it is recommended to refrain from configuring your Amazon EC2 instances with multiple Elastic Network Interfaces (ENIs).


Audit

To determine if your Amazon EC2 instances use multiple ENIs, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Networking tab from the console bottom panel to access the networking configuration details.

06 Check the number of Elastic Network Interfaces with the Attachment status set to attached, listed in the Network Interfaces section. If there are two or more network interfaces with the Attachment status set to attached, the selected Amazon EC2 instance is configured with multiple Elastic Network Interfaces (ENIs).

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance that you want to examine available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon EC2 instance provisioned in the selected AWS region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
+-----------------------+

03 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to describe the ID and the attachment status for each network interface configured for the selected instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --output table 
  --query "Reservations[*].Instances[*].NetworkInterfaces[*].[NetworkInterfaceId,Attachment.Status]"

04 The command output should return the requested networking information:

---------------------------------------
|          DescribeInstances          |
+------------------------+------------+
|  eni-01234567abcabcabc |  attached  |
|  eni-0abcabcabc1234567 |  attached  |
+------------------------+------------+

If the table returned by the describe-instances command output contains two or more network interfaces with the status set to attached, the selected Amazon EC2 instance is configured with multiple Elastic Network Interfaces (ENIs).

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance that you want to examine, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To ensure that your Amazon EC2 instances are not using multiple Elastic Network Interfaces (ENIs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to configure.

05 Click on the Actions dropdown menu from the console top menu, select Networking, and choose Detach network interface.

06 Select the Elastic Network Interface (ENI) that you want to detach from your Amazon EC2 instance, and choose Detach to confirm your action.

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance that you want to configure, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to configure as the identifier parameter and custom filtering to describe the ID and the attachment ID for each network interface configured for the selected instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --output table 
  --query "Reservations[*].Instances[*].NetworkInterfaces[*].[NetworkInterfaceId,Attachment.AttachmentId]"

02 The command output should return a table with requested networking information:

-----------------------------------------------------------
|                    DescribeInstances                    |
+------------------------+--------------------------------+
|  eni-08a3ff1db41c249f5 |  eni-attach-0abc123abcd123abc  |
|  eni-0627616501879e53c |  eni-attach-0123abc123abc123a  |
+------------------------+--------------------------------+

03 Execute detach-network-interface command (OSX/Linux/UNIX) to detach the unwanted Elastic Network Interface (ENI) from the selected Amazon EC2 instance (the command does not produce an output).

aws ec2 detach-network-interface 
  --region us-east-1 
  --attachment-id eni-attach-0123abc123abc123a

04 Repeat steps no. 1 – 3 for each Amazon EC2 instance that you want to configure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 for other regions.

References

Publication date Sep 4, 2023