For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-llp.md. A documentation index is available at /llms.txt.

ENIs should have source/destination check enabled

ec2

Description

Elastic Network Interfaces (ENIs) should have source/destination checking enabled. When disabled, an ENI can forward traffic it is not the source or destination of, effectively acting as a network bridge between VPCs or subnets. Only disable this check for network appliances such as NAT instances, firewalls, or load balancers that are explicitly authorized to route traffic.

AWS-managed interface types that legitimately require source/destination check disabled (NAT gateways, NLBs, GLBs, transit gateways, EC2 Instance Connect Endpoints, Global Accelerator, CloudFront VPC-origin ENIs, and EFA/EFA-only adapters) are automatically skipped.

Remediation

Enable source/destination checking on the ENI.

  1. Open the Amazon EC2 console.
  2. Navigate to Network Interfaces, select the ENI, and choose Actions > Change source/dest. check.
  3. Enable the source/destination check and save.