Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 17 EC2 instances should not use multiple ENIs

Description

This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.

Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access.

Remediation

To remediate this issue, detach the additional ENIs.

To detach a network interface

  1. Open the Amazon EC2 console.
  2. Under Network & Security, choose Network Interfaces.
  3. Filter the list by the noncompliant instance IDs to see the associated ENIs.
  4. Select the ENIs that you want to remove.
  5. From the Actions menu, choose Detach.
  6. If you see the prompt Are you sure that you want to detach the following network interface?, choose Detach.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_17 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when jsonb_array_length(network_interfaces) = 1 then 'ok'
    else 'alarm'
  end status,
  title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.'
  as reason
  
  , region, account_id
from
  aws_ec2_instance;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = network_security
foundational_security_item_id = ec2_17
plugin = aws
service = AWS/EC2