ENIs should have source/destination check enabled

ec2
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Elastic Network Interfaces (ENIs) should have source/destination checking enabled. When disabled, an ENI can forward traffic it is not the source or destination of, effectively acting as a network bridge between VPCs or subnets. Only disable this check for network appliances such as NAT instances, firewalls, or load balancers that are explicitly authorized to route traffic.

AWS-managed interface types that legitimately require source/destination check disabled (NAT gateways, NLBs, GLBs, transit gateways, EC2 Instance Connect Endpoints, Global Accelerator, CloudFront VPC-origin ENIs, and EFA/EFA-only adapters) are automatically skipped.

Remediation

Enable source/destination checking on the ENI.

  1. Open the Amazon EC2 console.
  2. Navigate to Network Interfaces, select the ENI, and choose Actions > Change source/dest. check.
  3. Enable the source/destination check and save.