ENI Finder
Unattached Network Interface Finder
The ENI Finder is a Trigger automation that identifies Elastic Network Interfaces (ENIs) that are not attached to any instance or service. Unattached ENIs can incur unnecessary costs and clutter your VPC.
How It Works
graph LR
A[ENI Finder] --> B[List All ENIs]
B --> C[Check Status]
C --> D{Available?}
D -->|Yes| E[Flag as Unattached]
D -->|No| F[Skip]
E --> G[Generate Report]- Enumerate - Lists all network interfaces across configured accounts and regions
- Filter - Identifies ENIs with status “available” (not attached)
- Analyze - Gathers details about each unattached ENI
- Report - Generates a report of findings
Why Unattached ENIs Matter
| Issue | Impact |
|---|---|
| Cost | ENIs with Elastic IPs incur hourly charges |
| Quota | Count against your ENI limits per region |
| Clutter | Make network management harder |
| Security | Unused ENIs may have outdated security groups |
Cost Impact
| Resource | Cost |
|---|---|
| Unattached ENI (no EIP) | Free |
| Unattached ENI with Elastic IP | ~$3.60/month |
| Multiple unused EIPs | Adds up quickly |
Running the Automation
- Navigate to Automations
- Find Unattached Network Interface Finder
- Click Trigger
- Wait for completion
- View results in Automation Reports
Prerequisites
The SkySaver IAM role needs:
- Effect: "Allow"
Action:
- "ec2:DescribeNetworkInterfaces"
- "ec2:DescribeAddresses"
Resource: "*"Understanding the Report
| Field | Description |
|---|---|
| ENI ID | Network interface ID (eni-xxx) |
| Status | “available” indicates unattached |
| VPC ID | VPC containing the ENI |
| Subnet ID | Subnet where ENI resides |
| Private IP | Primary private IP address |
| Has EIP | Whether an Elastic IP is associated |
| Security Groups | Attached security groups |
| Description | ENI description |
| Account | AWS account |
| Region | AWS region |
What to Do with Unattached ENIs
Review Before Action
Check if the ENI is:
- Managed by AWS - Lambda, ECS, EKS create ENIs automatically
- Reserved - Intentionally created for future use
- Orphaned - Left behind after resource deletion
Common Cleanup Actions
Delete the ENI (if truly orphaned):
aws ec2 delete-network-interface --network-interface-id eni-xxxxxxxxxRelease associated EIP (if any):
aws ec2 release-address --allocation-id eipalloc-xxxxxxxxx
ENIs Created by AWS Services
Some ENIs are created and managed by AWS services:
| Service | ENI Purpose | Delete? |
|---|---|---|
| Lambda | VPC connectivity | No - managed by Lambda |
| ECS | Task networking | No - managed by ECS |
| EKS | Pod networking | No - managed by EKS |
| RDS | Database connectivity | No - managed by RDS |
| Requester-managed | Service-managed | Usually no |
Check the Description and RequesterManaged fields to identify service-managed ENIs.
Best Practices
- Run monthly - Regular cleanup prevents accumulation
- Check EIP association - Prioritize ENIs with attached EIPs (cost)
- Verify requester - Don’t delete service-managed ENIs
- Document exceptions - Tag ENIs that should be kept
- Review before deletion - Confirm ENI is truly unused
Filtering Results
When reviewing the report, focus on:
- ENIs with Elastic IPs - These cost money
- Non-requester-managed - Manually created ENIs
- Old ENIs - Created long ago and likely forgotten
- Empty descriptions - May have been created accidentally
Downloading Results
- Navigate to Automation Reports
- Find the ENI Finder execution
- Click Download CSV
- Open in spreadsheet for analysis
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| No ENIs found | Permissions issue | Verify IAM role |
| Service-managed ENIs flagged | Expected behavior | Filter by RequesterManaged |
| Missing regions | Region not configured | Update Project Defaults |
Related Topics
- Automation Reports - View execution history
- Security Group Finder - Related cleanup automation
- AWS Account Setup - IAM permissions