In AWS, when you're trying to **delete or detach a network interface (ENI)** and

1. In AWS, when you're trying to **delete or detach a network interface (ENI)** and encounter the error:
2.  
3.  
4. > **"You do not have permission to access the specified resource."**
5.  
6.  
7. this usually means **one of two main things**:
8.  
9.  
10. ---
11.  
12.  
13. ### ✅ 1. **Permission Denied by IAM Policy**
14.  
15.  
16. You are likely **not authorized via IAM policy** to perform `ec2:DetachNetworkInterface` or `ec2:DeleteNetworkInterface`.
17.  
18.  
19. #### 🔍 Root Cause:
20.  
21.  
22. Check whether your IAM role/user has the following permissions:
23.  
24.  
25. ```json
26. {
27. "Effect": "Allow",
28. "Action": [
29. "ec2:DescribeNetworkInterfaces",
30. "ec2:DetachNetworkInterface",
31. "ec2:DeleteNetworkInterface"
32. ],
33. "Resource": "*"
34. }
35. ```
36.  
37.  
38. If your IAM policy does **not include these**, or there's a **Deny** statement in an SCP (Service Control Policy) or permissions boundary, you'll see that error.
39.  
40.  
41. ---
42.  
43.  
44. ### ✅ 2. **ENI is Attached to a System-Owned Resource**
45.  
46.  
47. Even with full permissions, AWS will **block you from detaching/deleting an ENI** if it’s **attached to a managed or system-owned resource**, such as:
48.  
49.  
50. * The **primary ENI** of an EC2 instance.
51. * A **Lambda** function (if it's a VPC-attached Lambda).
52. * An **ECS task**.
53. * An **AWS Load Balancer**.
54. * An **Elastic File System (EFS)** mount target.
55.  
56.  
57. #### 🔍 Root Cause:
58.  
59.  
60. Each ENI has a **`Attachment` block** in the metadata. If it's `Attachment.Status = "attached"` and the `InstanceOwnerId != aws_account_id`, then the resource is **owned by AWS**, and cannot be detached manually.
61.  
62.  
63. You can inspect it with:
64.  
65.  
66. ```bash
67. aws ec2 describe-network-interfaces --network-interface-ids eni-xxxxxxxx
68. ```
69.  
70.  
71. And look for:
72.  
73.  
74. ```json
75. "Attachment": {
76. "InstanceOwnerId": "amazon-elb", <-- or another system
77. "Status": "attached",
78. ...
79. }
80. ```
81.  
82.  
83. ---
84.  
85.  
86. ### 🛠️ How to Fix
87.  
88.  
89. #### 🔸 Case A: **IAM Permission Issue**
90.  
91.  
92. * Ask your admin to attach a policy with the `ec2:DetachNetworkInterface` and `ec2:DeleteNetworkInterface` actions.
93. * Check for **SCPs** or **Permissions Boundaries** that might override your IAM permissions.
94.  
95.  
96. #### 🔸 Case B: **System-Owned ENI**
97.  
98.  
99. * You **must delete the parent resource** (e.g., Lambda function, ECS task, EC2 instance) that owns the ENI.
100. * Once deleted, the ENI will be **automatically detached and removed** (in most cases).
101. * You **cannot detach primary ENIs** of running EC2 instances.
102.  
103.  
104. ---
105.  
106.  
107. Would you like help interpreting the output of `describe-network-interfaces` for your specific ENI?
108.  
109.  
110.