Unused Elastic Network Interfaces

Risk Level: Low (generally tolerable level of risk)

Rule ID: EC2-060

Identify and delete any unused Elastic Network Interfaces (ENIs) in order to adhere to AWS cloud best practices and to avoid reaching the service limit. An Elastic Network Interface is considered unused when it is not attached anymore to an AWS resource such as an EC2 instance.

This rule can help you with the following compliance standards:

NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Sustainability

To follow best practices, unused (detached) Amazon Elastic Network Interfaces (ENIs) should be removed from your AWS account because keeping a lot of unused ENIs can exhaust the resource limit.

Audit

To identify any unused Elastic Network Interfaces available within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Network Interfaces.

04 Select the Elastic Network Interface (ENI) that you want to examine.

05 Choose the Details tab from the console bottom panel to access the ENI configuration details.

06 In the Network interface details section, check the Network interface status attribute value. If the Network interface status is set to Available, the selected Elastic Network Interface (ENI) is not attached to an Amazon EC2 instance, therefore the verified resource is unused and can be safely removed from your AWS cloud account.

07 Repeat steps no. 4 – 6 to determine the association status for other Elastic Network Interfaces available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-network-interfaces command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Elastic Network Interface (ENI) deployed in the selected AWS region:

aws ec2 describe-network-interfaces
  --region us-east-1
  --output table
  --query 'NetworkInterfaces[*].NetworkInterfaceId'

02 The command output should return a table with the requested ENI identifiers (IDs):

---------------------------
|DescribeNetworkInterfaces|
+-------------------------+
|  eni-0abcd1234abcd1234  |
|  eni-01234abcd1234abcd  |
|  eni-0abcdabcdabcdabcd  |
|  eni-01234123412341234  |
+-------------------------+

03 Run describe-network-interfaces command (OSX/Linux/UNIX) using the ID of the Elastic Network Interface (ENI) that you want to examine as the identifier parameter and custom query filters to describe the association status of the selected ENI:

aws ec2 describe-network-interfaces
  --region us-east-1
  --network-interface-ids eni-0abcd1234abcd1234
  --query 'NetworkInterfaces[*].Status'

04 The command output should return the requested configuration status:

[
	"available"
]

If the describe-network-interfaces command output returns "available", the selected Elastic Network Interface (ENI) is not attached to an Amazon EC2 instance, therefore the verified resource is considered unused and can be safely removed from your AWS cloud account.

05 Repeat steps no. 3 and 4 to determine the association status for other Elastic Network Interfaces available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To remove any unused Elastic Network Interfaces (ENIs) from your AWS cloud account, perform the following operations:

Note: The remediation actions are not currently supported by AWS CloudFormation.

Using Terraform (AWS Provider)

01 Terraform commands:

terraform destroy -target aws_network_interface.default

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Network Interfaces.

04 Select the Elastic Network Interface (ENI) that you want to delete (see Audit section part I to identify the right resource).

05 Click on the Actions dropdown menu from the console top menu and choose Delete.

06 In the Delete network interface confirmation box, review the ENI resource details, then choose Delete to remove the selected network interface from your AWS cloud account.

07 Repeat steps no. 4 – 6 to remove other unused (detached) Elastic Network Interfaces (ENIs) available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run delete-network-interface command (OSX/Linux/UNIX) using the ID of the Elastic Network Interface (ENI) that you want to delete as the identifier parameter (see Audit section part II to identify the right resource), to remove the selected ENI resource from your AWS cloud account (if successful, the command request does not produce an output):

aws ec2 delete-network-interface
  --region us-east-1
  --network-interface-id eni-0abcd1234abcd1234

02 Repeat step no. 1 to remove other unused (detached) Elastic Network Interfaces (ENIs) available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
ec2
describe-network-interfaces
delete-network-interface

CloudFormation Documentation
Amazon EC2 resource type reference

Terraform Documentation
AWS Provider

Publication date Nov 8, 2017

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related EC2 rules