Ensure unused network interfaces are deleted

Error: Unused network interfaces are present

Bridgecrew Policy ID: BC_AWS_GENERAL_20
Severity: LOW

Unused network interfaces are present


The AWS Elastic Network Interface is a virtual interface that can be attached to an instance in a Virtual Private Cloud (VPC). By default, each instance will have a primary network interface, seen as the instance is being created. Over time, unused Amazon Elastic Network Interfaces exhaust the resource limit and eventually prevent the launching of new EC2 instances.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon EC2 console.
  3. Navigate to the NETWORK & SECURITY section, click Network Interfaces.
  4. Select the AWS ENI to examine.
  5. From the bottom panel of the dashboard, select the Details tab.
  6. Check the value set for the Status attribute. If the Status attribute value is available, the selected AWS Elastic Network Interface is not attached and can be deleted.

CLI Command

To list all unused elastic network interfaces, use the following command:

export REGION=<insert region here>
aws ec2 describe-network-interfaces 
--region $REGION 
--filters "Name=status,Values=available"

Review this list to determine if there is any reason the result set of unused elastic network interfaces would be reused by resources. For example, look at RequesterId, Description, or Groups to get an idea of past usage. We recommend you save this data for reference purposes before the ENIs are deleted.

To delete a single network interface, use the following command:

aws ec2 delete-network-interface 
--region $REGION 
--network-interface-id eni-######## 

To delete all unused network interfaces, use the following command:

ENIS=$(aws ec2 describe-network-interfaces --region $REGION 
--filters "Name=status,Values=available" 
--query "NetworkInterfaces[*].NetworkInterfaceId" 
--output text) 
echo $ENIS

Validate the list is as you expect it to be prior to deleting.

To capture security groups used by these interfaces, use the following command:

ENIS_SG=$(aws ec2 describe-network-interfaces --region $REGION 
--filters "Name=status,Values=available" 
--query "NetworkInterfaces[*].Groups[*].GroupId" 
--output text | sort -u)
echo $ENIS_SG

To proceed with deleting all unused Elastic Network Interfaces (ENIs), use the following command:

for eni in $ENIS; do 
  aws ec2 delete-network-interface --region $REGION --network-interface-id $eni

Remove Security Groups That are No Longer in Use
After deleting the Elastic Network Interfaces, review the list of security groups to see if they are no longer in use. To obtain the unused security groups to delete, use the following command:

INUSE_ENI_SG=$(aws ec2 describe-network-interfaces 
--region $REGION 
--query 'NetworkInterfaces[?Status != `available`].Groups[*].GroupId' 
--output text | sort -u)
for sg in $ENIS_SG; do 
  echo $INUSE_ENI_SG | grep $sg || DELETESG="$DELETESG $sg"

This is the group of now unused security groups to delete. To validate this group, use the following command:

for sg in $DELETESG; do
  aws ec2 describe-network-interfaces 
--region $REGION 
--filters Name=group-id,Values=$sg 
--query 'NetworkInterfaces[*].[NetworkInterfaceId, Status]'

You should not see any in-use interfaces. It is recommended to make a backup of the security groups before you delete them. To delete the unused security groups, use the following command:

for sg in $DELETESG; do
  aws ec2 describe-security-groups --region $REGION --group-id $sg > ${sg}.json
  aws ec2 delete-security-group --region $REGION --group-id $sg 

Fix - Buildtime


Resource: aws_network_interface

resource "aws_network_interface" "example" {
  subnet_id       = aws_subnet.public_a.id
  private_ips     = [""]
  security_groups = [aws_security_group.web.id]