Why can't I detach or delete an elastic network interface that Lambda created?

Last updated: 2021-12-01

When I try to detach or delete an elastic network interface that AWS Lambda created, I get the following error message: "You are not allowed to manage 'ela-attach' attachments." Why is this happening, and how do I delete a network interface Lambda created?

Short description

When you configure a Lambda function to access resources in an Amazon Virtual Private Cloud (Amazon VPC), Lambda assigns the function to a network interface. The network interfaces that Lambda creates can be deleted by the Lambda service only.

If you delete the resources that the network interface represents, then Lambda detaches and deletes the network interface for you. To delete unused network interfaces, the Lambda service uses the execution role of the functions that created the network interfaces.

Network interfaces aren't deleted if they're being used by functions or function versions with the same Amazon VPC configurations as the functions that created them.

To identify which functions or function versions are currently using a network interface, use the Lambda ENI Finder bash script on GitHub.

For more information, see Requester-managed network interfaces.

Note: Lambda shares network interfaces across multiple functions that have the same Amazon VPC configuration. Sharing network interfaces helps reduce the amount of network interfaces used in your AWS account.


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Identify any functions and function versions that are still using the network interface by running the Lambda ENI Finder

Note: The commands in the following instructions are valid for Linux, Unix, and macOS operating systems only.

1.    If you haven't done so already, install the AWS CLI.

2.    Configure the AWS CLI with an AWS Identity and Access Management (IAM) role that has permissions to query Lambda and network interfaces. For more information, see Execution role and user permissions.

3.    Install the command-line JSON processor jq by running the following command:

$ sudo yum install jq -y

Note: For more information, see the jq website on GitHub.

4.    If you haven't done so already, install Git by running the following command:

$ sudo yum install git -y

5.    Clone the aws-support-tools GitHub repository by running the following command:

$ git clone https://github.com/awslabs/aws-support-tools.git

6.    Change the directory to the location of Lambda ENI Finder.

Lambda ENI Finder location

$ cd aws-support-tools
$ cd Lambda
$ cd FindEniMappings

7.    Run Lambda ENI Finder for the network interface that you want deleted by running the following command:

./findEniAssociations --eni eni-0123456789abcef01 --region us-east-1

Important: Replace eni-0123456789abcef01 with the network interface's ID. (You can find the ID on the Network Interfaces page of the Amazon Elastic Compute Cloud (Amazon EC2) console.) Also, replace us-east-1 with the AWS Region that the network interface is in.

The output returns a list of the Lambda functions and function versions in your AWS account and specified Region that are using the network interface.

Note: If you still need any of these functions or function versions, then you likely don't need the network interface to be deleted.

To delete a network interface that Lambda created

1.    For each unpublished Lambda function version ($LATEST) the Lambda ENI Finder listed, do one of the following:

Change the Amazon VPC configuration to use a different subnet and security group.


Disconnect the function from the Amazon VPC.

2.    For each published Lambda function version listed, delete the function version.
Note: Published function versions can't be edited, so you can't change the VPC configuration.

3.    Verify that the network interface is no longer being used by running the Lambda ENI Finder again.

If no other functions or function versions are listed in the output, Lambda deletes the network interface automatically within 24 hours.

Did this article help?

Do you need billing or technical support?