Skip to content
Ask AI about this
Help improve this page

EC2 network interfaces should have source/destination checking enabled

Source/destination checking is an anti-spoofing safeguard built into every ENI. When enabled, the ENI drops traffic where it is neither the source nor the destination, preventing the instance from relaying packets it shouldn't handle. Disabling this check is only appropriate for a narrow set of use cases: NAT instances, VPN appliances, or network firewalls that must forward traffic on behalf of other hosts.

If source/destination checking is disabled on a standard workload ENI, a compromised instance can be used as a traffic relay, enabling lateral movement or data exfiltration through unexpected network paths. Keeping the default enabled on all non-routing ENIs limits the blast radius of any single instance compromise.

Retrofit consideration

Instances currently acting as NAT gateways, VPN endpoints, or network appliances legitimately require source_dest_check disabled. Enabling the check on those ENIs will break forwarded traffic immediately.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_network_interface.

resource "aws_network_interface" "this" {
  subnet_id = "subnet-12345678"

  source_dest_check = true
}

What this control checks

The aws_network_interface resource exposes source_dest_check, which defaults to true. The control passes when the argument is omitted (accepting the default) or explicitly set to true. It fails when set to false. The aws_instance resource has the same argument on its primary network interface, also defaulting to true. If you use inline network_interface blocks on aws_instance, the check applies to the underlying ENI. Ensure no standard workload ENI has source_dest_check = false.

Common pitfalls

  • NAT instances require explicit exceptions

    Migrating to aws_nat_gateway eliminates this problem entirely: managed NAT Gateways don't use ENIs you control, so there's nothing to exempt. If you're still running NAT instances, they must have source_dest_check = false to forward traffic, and each one needs a documented exception referencing the approved use case. Other forwarding appliances (VPN concentrators, inline firewalls) carry the same requirement.

  • source_dest_check on aws_instance vs aws_network_interface

    Both aws_instance and aws_network_interface expose source_dest_check. When you attach a separately managed aws_network_interface to an instance, the ENI-level setting takes precedence. Setting source_dest_check = true on the aws_instance resource does not override a false value on an attached aws_network_interface.

  • EFA interfaces created outside Terraform

    EFA ENIs spun up by EKS or parallel computing frameworks won't appear in your Terraform state, but the control evaluates them anyway. Run aws ec2 describe-network-interfaces --filters Name=interface-type,Values=efa to find unmanaged EFA interfaces before they surface as failures in your Config results.

  • Kubernetes CNI plugins may disable the check

    Some Kubernetes networking plugins call ModifyNetworkInterfaceAttribute to disable source/destination checking on worker node ENIs, creating drift from your Terraform configuration that won't be obvious until your next Config evaluation. Monitor CloudTrail for ModifyNetworkInterfaceAttribute events where sourceDestCheck is set to false.

Audit evidence

Config rule evaluation results for the managed rule ec2-network-interface-source-dest-check showing all applicable ENIs as COMPLIANT. Console evidence includes the EC2 Network Interfaces listing with the 'Source/dest. check' column showing 'true' for each user-managed ENI. For programmatic coverage, aws ec2 describe-network-interfaces filtered by SourceDestCheck confirms the setting across all regions.

Any ENIs with the check intentionally disabled need documented exception records referencing an approved use case (NAT instance, firewall appliance) and a corresponding security review.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: ec2_network_inteface_source_destination_check_enabled

  • AWS Config Managed Rule: EC2_ENIS_SOURCE_DESTINATION_CHECK_ENABLED

  • Powerpipe Control: aws_compliance.control.ec2_network_inteface_source_destination_check_enabled

  • AWS Security Hub Control: EC2.180

Last reviewed: 2026-03-09