Profile Applicability:
- Level 1
Description:
Elastic Network Interfaces (ENIs) in AWS are associated with EC2 instances and can be left in an available state when not attached to any instance. It is important to remove unused ENIs to adhere to best practices, avoid reaching service limits, and maintain a clean network configuration. Unused ENIs can accumulate over time, potentially leading to inefficiencies and complications in network management.
Rationale:
Unused ENIs that remain in an available state consume resources and can lead to:
Service limit issues: AWS imposes a limit on the number of ENIs that can be created. Accumulating unused ENIs may eventually cause the service limit to be reached, making it impossible to create new ENIs when needed.
Security risks: ENIs left unattached to instances may still have associated security group configurations that could potentially expose the environment to risks.
Cluttered network configurations: Accumulating unused ENIs makes it difficult to maintain a clear and organized network setup.
Impact:
Pros:
Cleaner network setup by removing unused ENIs.
Prevents service limit breaches and ensures that resources are available for new configurations.
Reduced attack surface by eliminating unnecessary network configurations.
Cons:
Data loss: Once an ENI is deleted, it cannot be recovered. Ensure that the ENI is no longer needed before removal.
Requires manual audits to ensure unused ENIs are regularly identified and deleted.
Default Value:
By default, ENIs remain in the available state until explicitly deleted. Unused ENIs do not impact the system unless they are not removed.
Pre-requisites:
AWS IAM permissions to manage EC2 network interfaces:
ec2:DescribeNetworkInterfaces, ec2:DeleteNetworkInterface
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, under Network & Security, click Network Interfaces.
Review the list of ENIs. Look for those with a Status of available.
If an ENI is marked as available, it means it is not attached to any instance and is unused.
Repeat steps 3–4 for any other ENIs in the current region.
Repeat the audit process across other AWS regions to ensure no unused ENIs exist.
Using AWS CLI:
Run the following command to list all ENIs with a status of available:
aws ec2 describe-network-interfaces --region us-east-1 --output json --filters Name=status,Values=available --query "NetworkInterfaces[*].{ENI:NetworkInterfaceId}"Review the list of ENI IDs returned. These ENIs are not attached to any EC2 instance and should be deleted if no longer needed.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
Under Network & Security, click Network Interfaces.
Select the ENI that is unused and marked as available.
Click Actions, then select Delete.
Confirm the deletion by clicking Delete again.
Repeat this process for other unused ENIs in the same region.
Repeat the process for any unused ENIs in other AWS regions.
Using AWS CLI:
For each unused ENI identified in the audit, run the following command to delete the ENI:
aws ec2 delete-network-interface --region us-east-1 --network-interface-id eni-1234abcd
Repeat this step for all unused ENIs in the current region.
Review the status of other ENIs across other regions to ensure all unused ENIs are deleted.
Backout Plan:
Using AWS Console:
If the deletion of an ENI causes issues, the ENI cannot be restored once deleted. Therefore, ensure that the ENI is not in use before deletion.
If necessary, recreate the ENI by following the standard EC2 networking setup process.
Using AWS CLI:
If there are any issues after deletion, the ENI cannot be restored. To create a new ENI, use the following command:
aws ec2 create-network-interface --subnet-id subnet-12345678 --description "New ENI" --private-ip-address 10.0.0.10
References:
CIS Controls: