Why can't I detach or delete an elastic network interface created by Lambda?

Last updated: 2020-03-27

When I try to detach or delete an elastic network interface that was created by AWS Lambda, I get the error message "You are not allowed to manage 'ela-attach' attachments." Why can't I delete the network interface?

Short Description

Network interfaces that Lambda creates can be deleted only by Lambda. For more information, see Requester-Managed Network Interfaces.

Lambda periodically deletes your unused Lambda-created network interfaces on your behalf using the execution role of the functions that created the network interfaces. Lambda doesn't delete network interfaces in your account that are currently in use by functions or function versions with the same Amazon Virtual Private Cloud (Amazon VPC) configurations as the functions that created the network interfaces.

Note: Lambda shares network interfaces across multiple functions that have the same Amazon VPC configuration. Sharing network interfaces helps reduce the amount of them used in your AWS account.

To identify which functions or function versions are currently using a network interface, use Lambda ENI Finder.

Resolution

Run Lambda ENI Finder

Note: The commands in the following instructions are valid only for Linux/Unix/macOS systems.

1.    If you haven't done so already, install the AWS Command Line Interface (AWS CLI).

2.    Configure the AWS CLI with an AWS Identity and Access Management (IAM) role that has permissions to query Lambda and network interfaces. For more information, see Execution Role and User Permissions.

3.    Install the command line JSON processor jq:

$ sudo yum install jq -y

For more information, see the jq website on GitHub.

4.    If you haven't done so already, install git:

$ sudo yum install git -y
$ git clone https://github.com/awslabs/aws-support-tools.git

6.    Change the directory to the location of Lambda ENI Finder:

$ cd aws-support-tools
$ cd Lambda
$ cd FindEniMappings

7.    Run Lambda ENI Finder for the network interface that you want to be deleted:

./findEniAssociations --eni eni-0123456789abcef01 --region us-east-1

Note: Replace eni-0123456789abcef01 with the ID of the network interface. (Find the ID on the Network Interfaces page of the Amazon Elastic Compute Cloud (Amazon EC2) console.) Replace us-east-1 with the AWS Region of the network interface.

The output lists all Lambda functions and function versions in your AWS account (and the Region that you specified) that are using the network interface.

Note: If you still need any of these functions or function versions, then you likely don't need the network interface to be deleted.

Delete the network interface

To have Lambda delete the network interface, do the following:

1.    For each unpublished Lambda function (the $LATEST version) that Lambda ENI Finder listed, change the Amazon VPC configuration to use a different subnet and security group. Or, you can disconnect the function from the Amazon VPC entirely.

2.    For each published Lambda function version listed, delete the function version. Published versions can't be edited, so the VPC configuration can't be changed.

3.    Run Lambda ENI Finder again to verify that the network interface is no longer in use. If no other functions or function versions are listed in the output, Lambda deletes the network interface for you within 24 hours.