v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 17 EC2 instances should not use multiple ENIs

Description

This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.

Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.

Remediation

To remediate this issue, detach the additional ENIs.

To detach a network interface

  1. Open the Amazon EC2 console.
  2. Under Network & Security, choose Network Interfaces.
  3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
  4. Select the ENIs that you want to remove.
  5. From the Actions menu, choose Detach.
  6. If you see the prompt Are you sure that you want to detach the following network interface?, choose Detach.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_17 --share

SQL

This control uses a named query:

ec2_instance_not_use_multiple_enis

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = network_security
foundational_security_item_id = ec2_17
plugin = aws
service = AWS/EC2