Unused network interfaces are present
Description
The AWS Elastic Network Interface is a virtual interface that can be attached to an instance in a Virtual Private Cloud (VPC). By default, each instance will have a primary network interface, seen as the instance is being created. Over time, unused Amazon Elastic Network Interfaces exhaust the resource limit and eventually prevent the launching of new EC2 instances.
Fix - Runtime
AWS Console
To change the policy using the AWS Console, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon EC2 console.
- Navigate to the NETWORK & SECURITY section, click Network Interfaces.
- Select the AWS ENI to examine.
- From the bottom panel of the dashboard, select the Details tab.
- Check the value set for the Status attribute. If the Status attribute value is available, the selected AWS Elastic Network Interface is not attached and can be deleted.
CLI Command
**To list all unused elastic network interfaces, use the following command: **
export REGION=<insert region here>
aws ec2 describe-network-interfaces
--region $REGION
--filters "Name=status,Values=available"
Review this list to determine if there is any reason the result set of unused elastic network interfaces would be reused by resources. For example, look at RequesterId, Description, or Groups to get an idea of past usage. We recommend you save this data for reference purposes before the ENIs are deleted.
**To delete a single network interface, use the following command: **
aws ec2 delete-network-interface
--region $REGION
--network-interface-id eni-########
**To delete all unused network interfaces, use the following command: **
ENIS=$(aws ec2 describe-network-interfaces --region $REGION
--filters "Name=status,Values=available"
--query "NetworkInterfaces[*].NetworkInterfaceId"
--output text)
echo $ENIS
Validate the list is as you expect it to be prior to deleting.
To capture security groups used by these interfaces, use the following command:
ENIS_SG=$(aws ec2 describe-network-interfaces --region $REGION
--filters "Name=status,Values=available"
--query "NetworkInterfaces[*].Groups[*].GroupId"
--output text | sort -u)
echo $ENIS_SG
To proceed with deleting all unused Elastic Network Interfaces (ENIs), use the following command:
for eni in $ENIS; do
aws ec2 delete-network-interface --region $REGION --network-interface-id $eni
done
Remove Security Groups That are No Longer in Use
After deleting the Elastic Network Interfaces, review the list of security groups to see if they are no longer in use. To obtain the unused security groups to delete, use the following command:
INUSE_ENI_SG=$(aws ec2 describe-network-interfaces
--region $REGION
--query 'NetworkInterfaces[?Status != `available`].Groups[*].GroupId'
--output text | sort -u)
DELETESG=""
for sg in $ENIS_SG; do
echo $INUSE_ENI_SG | grep $sg || DELETESG="$DELETESG $sg"
done
echo $DELETESG
This is the group of now unused security groups to delete. To validate this group, use the following command:
for sg in $DELETESG; do
aws ec2 describe-network-interfaces
--region $REGION
--filters Name=group-id,Values=$sg
--query 'NetworkInterfaces[*].[NetworkInterfaceId, Status]'
done
You should not see any in-use interfaces. It is recommended to make a backup of the security groups before you delete them. To delete the unused security groups, use the following command:
for sg in $DELETESG; do
aws ec2 describe-security-groups --region $REGION --group-id $sg > ${sg}.json
aws ec2 delete-security-group --region $REGION --group-id $sg
done
Fix - Buildtime
Terraform
Resource: aws_network_interface
go aws_network_interface.test.tf
resource "aws_network_interface" "example" {
subnet_id = aws_subnet.public_a.id
private_ips = ["10.0.0.50"]
security_groups = [aws_security_group.web.id]
}