Remove AWS created network interfaces for VPC Lambda functions from given security group ID.

README.md

Remove AWS network interfaces from security group ID

Script has been handy to clean up security groups which have been used with VPC honed AWS Lambda functions and maintain an ENI association.

Why this is a problem:

• Lambda function is created within the given VPC subnet(s) and assigned security group.
• During deployment, AWS on your behalf creates ENIs assigned to the security group and placed into the instructed subnet(s).
• Next, change is made to Lambda involving new security group association. AWS now creates new ENIs - as ENI reuse between Lambdas is only for the same security group/subnet combination.
• Finally, user wishes to clean up legacy security group - but can't as existing ENIs still use security group.

By running this script against the offending legacy security group ID:

• All ENI's are located with association to the security group.
• Offending ENIs are updated to use the default VPC security group - releasing the security group.
• Security group can now be deleted.
• AWS will now come along and clean up the now unused ENIs.

security-group-eni-remove.sh

#!/bin/bash -e

SECURITY_GROUP_ID="sg-XXXX"


function main {
	# fetch VPC ID for security group
	local vpcId=$(aws ec2 describe-security-groups \
		--group-ids "$SECURITY_GROUP_ID" \
		--output text \
		--query "SecurityGroups[0].VpcId")

	# fetch default security group for VPC
	local defaultSecurityGroupId=$(aws ec2 describe-security-groups \
		--filters "Name=group-name,Values=default" "Name=vpc-id,Values=$vpcId" \
		--output text \
		--query "SecurityGroups[0].GroupId")

	echo "vpcID [$vpcId]"
	echo "default security group [$defaultSecurityGroupId]"

	local eniIdList=$(aws ec2 describe-network-interfaces \
		--filters "Name=group-id,Values=$SECURITY_GROUP_ID" \
		--output text \
		--query "NetworkInterfaces[].[NetworkInterfaceId]")

	local IFS=$'\n'
	local eni
	for eni in $eniIdList; do
		echo "Assign default security group [$defaultSecurityGroupId] to ENI [$eni]"
		aws ec2 modify-network-interface-attribute \
			--groups "$defaultSecurityGroupId" \
			--network-interface-id "$eni"
	done

	echo "Delete security group [$SECURITY_GROUP_ID]"
	aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID"
}


main

Thanks, that helped me solve my very similar problem.

This script is awesome! Thank you!

Here you might want a little different version of this script, where security group is just detached.

#!/bin/bash -e

SECURITY_GROUP_ID="${1?You need to specify a security group id as first argument}"

# workaround for linux
if ! type -p gsed >> /dev/null; then alias gsed=sed; fi

function main {
	local eniIdList=$(aws ec2 describe-network-interfaces \
		--filters "Name=group-id,Values=$SECURITY_GROUP_ID" \
		--output text \
		--query "NetworkInterfaces[].[NetworkInterfaceId]")

	local IFS=$'\n'
	local eni
	for eni in $eniIdList; do
		# fetch current security groups for ENI
		local securityGroupIds=$(aws ec2 describe-network-interfaces \
			--network-interface-id "$eni" \
			--query "NetworkInterfaces[].Groups[].GroupId" \
			--output text | gsed "s/$SECURITY_GROUP_ID//g" | gsed -E 's/\s+/ /g')

		echo "Assign to ENI [$eni] security groups: {$securityGroupIds}"
		eval "aws ec2 modify-network-interface-attribute \
			--network-interface-id '$eni' \
			--groups $securityGroupIds"
	done

	echo "Delete security group [$SECURITY_GROUP_ID]"
	aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID"
}

main