---
title: ENIs should have source/destination check enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > ENIs should have source/destination
  check enabled
---

# ENIs should have source/destination check enabled
 
## Description{% #description %}

Elastic Network Interfaces (ENIs) should have source/destination checking enabled. When disabled, an ENI can forward traffic it is not the source or destination of, effectively acting as a network bridge between VPCs or subnets. Only disable this check for network appliances such as NAT instances, firewalls, or load balancers that are explicitly authorized to route traffic.

AWS-managed interface types that legitimately require source/destination check disabled (NAT gateways, NLBs, GLBs, transit gateways, EC2 Instance Connect Endpoints, Global Accelerator, CloudFront VPC-origin ENIs, and EFA/EFA-only adapters) are automatically skipped.

## Remediation{% #remediation %}

Enable source/destination checking on the ENI.

1. Open the [Amazon EC2 console](https://console.aws.amazon.com/ec2/home#NetworkInterfaces).
1. Navigate to **Network Interfaces**, select the ENI, and choose **Actions > Change source/dest. check**.
1. Enable the source/destination check and save.