Profile Applicability:

  • Level 1

Description:

Amazon EC2 instances typically use Elastic Network Interfaces (ENIs) to connect to the network. Each ENI is associated with a single EC2 instance, but it is possible to attach multiple ENIs to an instance for specific use cases (e.g., multi-homed instances or instances with different networking requirements). However, using multiple ENIs can increase complexity, affect performance, and introduce security concerns by exposing instances to more potential network vulnerabilities. This SOP ensures that EC2 instances are not unnecessarily configured with multiple ENIs unless explicitly required for a use case.

Rationale:

Restricting EC2 instances to a single ENI simplifies network management, reduces potential attack surfaces, and improves performance. Multiple ENIs can complicate security group and routing configurations, leading to misconfigurations and increased risks. By ensuring that EC2 instances do not use multiple ENIs, you maintain a simpler, more secure, and manageable network architecture.

Impact:

Pros:

  • Reduces complexity in network configurations.

  • Minimizes security risks by limiting network exposure.

  • Improves performance by avoiding the overhead of managing multiple ENIs.

Cons:

  • Certain use cases (e.g., multi-homed instances) may require multiple ENIs. In such cases, this setting would need to be explicitly overridden.

Default Value:

By default, EC2 instances are assigned a single ENI when launched. However, it is possible to attach additional ENIs manually or through a launch template, depending on the specific network requirements.

Pre-requisite:

  • AWS IAM permissions:

    • ec2:DescribeInstances

    • ec2:DescribeNetworkInterfaces

    • ec2:ModifyInstanceAttribute

  • AWS CLI installed and configured.

  • Basic understanding of EC2 network configurations and Elastic Network Interfaces (ENIs).

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  1. In the left-hand navigation panel, select Instances.

  1. Choose the EC2 instance you want to inspect.

  1. Under the Network Interfaces section, ensure that only one ENI is listed for each EC2 instance.

    • If multiple ENIs are listed, investigate the configuration to determine if it is required for the instance’s functionality.

  1. If multiple ENIs are not required, remove the extra ENIs by selecting the ENI and detaching it from the instance

Using AWS CLI:

To list all EC2 instances and their attached ENIs, use the following command:

aws ec2 describe-instances --query 'Reservations[*].Instances[*].{ID:InstanceId,NetworkInterfaces:NetworkInterfaces[*].NetworkInterfaceId}' --output table

Review the output to verify if any EC2 instances have multiple NetworkInterfaces listed.

  • If an instance has more than one ENI, inspect the configuration to ensure it is necessary.

To detach a secondary ENI from an EC2 instance, use the following command:

aws ec2 detach-network-interface --attachment-id <eni-attachment-id>

Verify that the instance now only has one ENI attached.

Implementation:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

  1. In the Instances section, select the EC2 instance you want to inspect.

  1. Under the Network Interfaces tab, check how many ENIs are attached to the instance.

  1. If multiple ENIs are attached, click on the Actions button, then select Detach Network Interface for the unnecessary ENI.

  1. Ensure that only one ENI remains attached to the instance.

Save the changes and verify that the instance is now using only one ENI.

Using AWS CLI:

To list the attached ENIs for an EC2 instance, run:

aws ec2 describe-instances --instance-id <instance-id> --query 'Reservations[*].Instances[*].NetworkInterfaces[*].NetworkInterfaceId' --output table

If more than one ENI is attached, run the following command to detach the unnecessary ENI:

aws ec2 detach-network-interface --attachment-id <eni-attachment-id>

Verify the updated configuration by listing the attached ENIs again:

aws ec2 describe-instances --instance-id <instance-id> --query 'Reservations[*].Instances[*].NetworkInterfaces[*].NetworkInterfaceId' --output table

Backout Plan:

If removing additional ENIs causes issues with the instance’s networking or application functionality:

Identify the affected EC2 instance and re-attach the necessary ENI using the following command:

aws ec2 attach-network-interface --instance-id <instance-id> --network-interface-id <eni-id> --device-index <device-index>

Verify that the instance has the required ENIs reattached and that the instance functions as expected.

Document the restoration actions for auditing and compliance purposes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.