- Newest
- Most votes
- Most comments
This looks like a requester-managed ENI owned by the RDS service, not a customer-managed ENI.
Because the network interface shows:
RequesterManaged=true RequesterId=amazon-rds Status=in-use
it cannot be detached or deleted directly from EC2 by the customer account. AWS requester-managed network interfaces are created and managed by the AWS service that owns them. In this case, the owner appears to be Amazon RDS.
Normally, when the associated RDS resource is deleted, RDS should also clean up the managed ENI. If the RDS instance has already been deleted and the ENI is still in-use after several days, this looks like a stale/orphaned RDS-managed ENI rather than a permissions issue that can be solved with a different IAM policy.
I would first collect evidence that there are no remaining RDS resources still referencing the VPC, subnet, or security group.
Check remaining DB instances:
aws rds describe-db-instances --region us-east-2 \ --query "DBInstances[].{DBInstanceIdentifier:DBInstanceIdentifier,Status:DBInstanceStatus,SubnetGroup:DBSubnetGroup.DBSubnetGroupName,Vpc:DBSubnetGroup.VpcId}"
Check remaining DB clusters:
aws rds describe-db-clusters --region us-east-2 \ --query "DBClusters[].{DBClusterIdentifier:DBClusterIdentifier,Status:Status,SubnetGroup:DBSubnetGroup,VpcSecurityGroups:VpcSecurityGroups}"
Check remaining DB proxies:
aws rds describe-db-proxies --region us-east-2 \ --query "DBProxies[].{Name:DBProxyName,Status:Status,VpcId:VpcId,VpcSubnetIds:VpcSubnetIds,VpcSecurityGroupIds:VpcSecurityGroupIds}"
Check DB subnet groups:
aws rds describe-db-subnet-groups --region us-east-2 \ --query "DBSubnetGroups[].{Name:DBSubnetGroupName,VpcId:VpcId,Subnets:Subnets[].SubnetIdentifier}"
Then confirm the ENI ownership and attachment state:
aws ec2 describe-network-interfaces --region us-east-2 \ --network-interface-ids eni-0308a7ff88afd5eeb \ --query "NetworkInterfaces[].{ENI:NetworkInterfaceId,Status:Status,RequesterManaged:RequesterManaged,RequesterId:RequesterId,Description:Description,Attachment:Attachment,SubnetId:SubnetId,VpcId:VpcId,Groups:Groups}"
If the ENI still shows:
RequesterManaged=true RequesterId=amazon-rds Status=in-use
and no RDS DB instance, cluster, proxy, or subnet group remains associated with it, then this is not something that can be fixed from the customer side. AWS Support needs to complete the cleanup of the stale RDS-managed attachment internally.
When opening or updating the AWS Support case, I would include:
- ENI ID
- Region
- VPC ID
- Subnet ID
- Security Group ID
- Deleted RDS instance identifier
- Approximate deletion timestamp
- Output of
describe-network-interfaces - Output showing that no DB instances, clusters, proxies, or related subnet groups remain
- The exact authorization or dependency error returned when trying to detach/delete the ENI
I would avoid trying to force-detach or manually delete this ENI. Since it is requester-managed by RDS, the correct path is to prove that the parent RDS resource no longer exists and ask AWS Support to remove the stale service-managed ENI or complete the backend cleanup.
The RDS should have a private IP. Based on that, you can find the eni in EC2 console (EC2 console > network interfaces (left menu)). Once you find the eni, you can delete it.
Relevant content
- AWS OFFICIALUpdated 5 years ago
- AWS OFFICIALUpdated 3 years ago
