More Info:

Unused AWS Elastic Network Interfaces (ENIs) should be removed to follow best practices.

Risk Level

Informational

Address

Cost optimization, Operational Maturity

Compliance Standards

AWSWAF, HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the unused Elastic Network Interfaces in AWS, you can follow the below steps using AWS console:
  1. Login to AWS console and navigate to the EC2 dashboard.
  2. Click on the “Network Interfaces” option from the left-hand menu.
  3. Sort the list of network interfaces by the “Status” column, and identify the interfaces that have a status of “available” or “detached”. These are the unused interfaces.
  4. Select the unused network interfaces that you want to remove.
  5. Click on the “Actions” dropdown menu and select “Delete network interface”.
  6. A confirmation message will appear. Click on “Yes, Delete” to confirm the deletion of the selected network interfaces.
Once the unused network interfaces are deleted, you have successfully remediated the misconfiguration.

To remediate the misconfiguration of unused Elastic Network Interfaces in AWS, you can follow the below steps using AWS CLI:
  1. First, you need to identify the unused Elastic Network Interfaces (ENIs). To do this, run the following command:
aws ec2 describe-network-interfaces --filters Name=status,Values=available
This command will list all the available ENIs that are not currently attached to any EC2 instances.
  1. Once you have identified the unused ENIs, you can delete them using the following command:
aws ec2 delete-network-interface --network-interface-id <eni-id>
Replace <eni-id> with the ID of the unused ENI that you want to delete. You can run this command for each unused ENI that you identified in step 1.
  1. Finally, to confirm that the unused ENIs have been deleted, you can run the following command:
aws ec2 describe-network-interfaces --filters Name=status,Values=available
This command should return an empty list, indicating that there are no more available ENIs that are not currently attached to any EC2 instances.
To remediate the misconfiguration of unused Elastic Network Interfaces in AWS using Python, you can use the Boto3 library which is the AWS SDK for Python. Here are the steps to remediate the misconfiguration:
  1. Import the necessary libraries:
import boto3
import logging
  1. Set up logging to capture any errors:
logger = logging.getLogger()
logger.setLevel(logging.INFO)
  1. Create an EC2 client using Boto3:
ec2 = boto3.client('ec2')
  1. Use the describe_network_interfaces method to get a list of all the network interfaces in your account:
response = ec2.describe_network_interfaces()
  1. Loop through the response to find all the unused network interfaces and delete them:
for network_interface in response['NetworkInterfaces']:
    if not network_interface['Attachment']:
        logger.info(f"Deleting unused network interface {network_interface['NetworkInterfaceId']}")
        ec2.delete_network_interface(NetworkInterfaceId=network_interface['NetworkInterfaceId'])
  1. Run the script and it will delete all the unused network interfaces in your AWS account.
Note: Please make sure to test this script in a non-production environment before running it in a production environment.

Additional Reading: