Unused Elastic Network Interfaces Should Be Removed

More Info:

Unused AWS Elastic Network Interfaces (ENIs) should be removed to follow best practices.

Risk Level

Informational

Address

Cost optimization, Operational Maturity

Compliance Standards

AWSWAF, HITRUST, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of unused Elastic Network Interfaces in AWS, you can follow the below steps using AWS CLI:

First, you need to identify the unused Elastic Network Interfaces (ENIs). To do this, run the following command:

aws ec2 describe-network-interfaces --filters Name=status,Values=available

This command will list all the available ENIs that are not currently attached to any EC2 instances.

Once you have identified the unused ENIs, you can delete them using the following command:

aws ec2 delete-network-interface --network-interface-id <eni-id>

Replace <eni-id> with the ID of the unused ENI that you want to delete. You can run this command for each unused ENI that you identified in step 1.

Finally, to confirm that the unused ENIs have been deleted, you can run the following command:

aws ec2 describe-network-interfaces --filters Name=status,Values=available

This command should return an empty list, indicating that there are no more available ENIs that are not currently attached to any EC2 instances.

Using Python

To remediate the misconfiguration of unused Elastic Network Interfaces in AWS using Python, you can use the Boto3 library which is the AWS SDK for Python. Here are the steps to remediate the misconfiguration:

Import the necessary libraries:

import boto3
import logging

Set up logging to capture any errors:

logger = logging.getLogger()
logger.setLevel(logging.INFO)

Create an EC2 client using Boto3:

ec2 = boto3.client('ec2')

Use the describe_network_interfaces method to get a list of all the network interfaces in your account:

response = ec2.describe_network_interfaces()

Loop through the response to find all the unused network interfaces and delete them:

for network_interface in response['NetworkInterfaces']:
    if not network_interface['Attachment']:
        logger.info(f"Deleting unused network interface {network_interface['NetworkInterfaceId']}")
        ec2.delete_network_interface(NetworkInterfaceId=network_interface['NetworkInterfaceId'])

Run the script and it will delete all the unused network interfaces in your AWS account.

Note: Please make sure to test this script in a non-production environment before running it in a production environment.

Additional Reading:

https://aws.amazon.com/premiumsupport/knowledge-center/limit-reached-eni/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unused Elastic Network Interfaces Should Be Removed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: