Logo of Trend Micro

Unused Elastic Network Interfaces

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-060

Identify and delete any unused Amazon AWS Elastic Network Interfaces in order to adhere to best practices and to avoid reaching the service limit. An AWS Elastic Network Interface (ENI) is pronounced unused when is not attached anymore to an EC2 instance.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency

As good practice, unused (detached) Amazon Elastic Network Interfaces should be removed from your account because keeping a lot of unused ENIs can exhaust the resource limit and eventually prevent the launching of new EC2 instances.

Audit

To identify any unused Elastic Network Interfaces currently available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, click Network Interfaces.

04 Select the AWS ENI that you want to examine.

05 Select the Details tab from the dashboard bottom panel and check the value set for the Status attribute. If the Status attribute value is "available", the selected AWS Elastic Network Interface is not attached to an EC2 instance, therefore it should be marked as unused then safely removed from your AWS account (see Remediation/Resolution section).

06 Repeat step no. 4 and 5 to determine the current status for other AWS ENIs available within the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-network-interfaces command (OSX/Linux/UNIX) using custom query filters to list the IDs of all unused AWS ENIs (if any), provisioned in the selected region: 

aws ec2 describe-network-interfaces
	--region us-east-1
	--output table
	--filters Name=status,Values=available --query 'NetworkInterfaces[*].{ENI:NetworkInterfaceId}'

02 The command output should return a table that contains the IDs of the unused Elastic Network Interfaces (i.e. ENI resources with current status set to "available") or an empty table if there are no unused ENIs within the selected AWS region: 

---------------------------
|DescribeNetworkInterfaces|
+-------------------------+
|           ENI           |
+-------------------------+
|  eni-aaaabbbb           |
|  eni-ddddeeee           |
|  eni-bbbbcccc           |
+-------------------------+

If the command output returns one or more AWS ENI IDs, there are one or more AWS Elastic Network Interfaces that are not attached to EC2 instances, therefore these should be marked as unused and safely removed from your AWS account.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To remove any unused Amazon Elastic Network Interfaces (ENIs) available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, click Network Interfaces.

04 Select the AWS ENI that you want to remove (see Audit section part I to identify the right resource).

05 Click the Delete button from the dashboard top menu to initiate the removal process.

06 Inside the Delete Network Interface dialog box, review the resource details one more time, then click Yes, Delete to confirm the action. If successful, the selected AWS Elastic Network Interface should be removed from the ENIs list.

07 Repeat steps no. 4 – 6 to remove other unused (detached) AWS Elastic Network Interfaces available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run delete-network-interface command (OSX/Linux/UNIX) using the ID of the ENI that you want to delete as identifier (see Audit section part II to identify the right resource) to remove the selected Amazon Elastic Network Interface from your AWS account (if the command succeeds, no output is returned): 

aws ec2 delete-network-interface
	--region us-east-1
	--network-interface-id eni-aaaabbbb

02 Repeat step no. 1 to remove other unused AWS ENIs currently available in the selected region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire process for other regions.

References

Publication date Nov 8, 2017

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unused Elastic Network Interfaces

Risk level: Low