ENI Finder
Unattached Network Interface Finder
The Unattached Network Interface Finder is a Trigger automation that scans your AWS accounts for Elastic Network Interfaces (ENIs) with status available — meaning they are not attached to any instance or service. It reports findings only; it does not delete or modify any resources.
How It Works
graph LR
A[Run Now] --> B[Scan All Accounts]
B --> C[Scan Each Region]
C --> D[Find Available ENIs]
D --> E[Record Findings]
E --> F[Generate Report]- Trigger - User clicks Run Now to start the automation
- Scan accounts - For each configured AWS account, assumes the cross-account IAM role
- Scan regions - Checks each configured region for ENIs with status
available - Filter - Skips AWS-managed ENIs (e.g. Lambda, ECS, EKS, RDS) and any ENIs tagged with
SkySaverIgnore=UnattachedENI - Record - Logs each unattached ENI as a finding in the report
No changes are made to your AWS resources — this automation is read-only.
Running the Automation
- Navigate to Automations
- Find Unattached Network Interface Finder
- Click Run Now
- Wait for completion (time varies with number of accounts and regions)
- View results in Automation Reports
Opting Out an ENI
To exclude a specific ENI from the report, add the following tag to it in AWS:
- Key:
SkySaverIgnore - Value:
UnattachedENI
What Gets Scanned
The automation scans all regions configured for each account. If no regions are configured, it defaults to scanning:
us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-west-2, eu-west-3, eu-central-1, ap-southeast-1, ap-southeast-2, ap-northeast-1
Understanding the Report
Each row in the Automation Report represents one unattached ENI:
| Field | Description |
|---|---|
| ENI ID | Network interface ID (eni-xxx) |
| Account | AWS account ID |
| Region | AWS region where the ENI exists |
| VPC ID | VPC containing the ENI |
| Subnet ID | Subnet where the ENI resides |
| Private IP | Primary private IP address |
| Description | ENI description (often indicates the creating service) |
| Interface Type | Type of interface (e.g., interface, vpc_endpoint) |
| Availability Zone | AZ where the ENI resides |
Why Unattached ENIs Matter
| Issue | Impact |
|---|---|
| Elastic IPs | Unattached ENIs with associated Elastic IPs incur hourly charges (~$3.60/month per EIP) |
| ENI limits | Count against your per-region ENI quota |
| Security | Unused ENIs may retain outdated security group rules |
| Clutter | Make network management and auditing harder |
Cleaning Up Unattached ENIs
After reviewing the report in AWS Console:
Delete the ENI (if confirmed orphaned):
aws ec2 delete-network-interface --network-interface-id eni-xxxxxxxxxRelease an associated Elastic IP (if any — do this before deleting the ENI):
aws ec2 release-address --allocation-id eipalloc-xxxxxxxxx
Prerequisites
The SkySaver IAM role in each target account needs:
ec2:DescribeNetworkInterfaces
Troubleshooting
| Issue | Likely Cause | Solution |
|---|---|---|
| No ENIs found | No unattached ENIs exist, or permissions issue | Verify IAM role has ec2:DescribeNetworkInterfaces |
| Expected ENI missing | ENI has SkySaverIgnore=UnattachedENI tag | Remove the tag if you want it included |
| Missing regions | Regions not configured for the account | Update regions in Tenant Management or project defaults |
| Expected ENI not in report | It is AWS-managed (RequesterManaged=True) | This is correct — AWS-managed ENIs are automatically excluded |
Related Topics
- Automation Reports - View execution history and download CSV
- Orphaned Security Group Finder - Related cleanup automation
- AWS Account Setup - IAM permissions setup