Skip to content

[AWS::EC2::TransitGatewayAttachment] - [Enhancement] - Propagate tags to service-managed ENIs / Network interfaces #2483

New issue
New issue
Open
Open
[AWS::EC2::TransitGatewayAttachment] - [Enhancement] - Propagate tags to service-managed ENIs / Network interfaces#2483
Labels
enhancementNew feature or request
@rgoltz

Description

@rgoltz
rgoltz
opened on Mar 22, 2026

Name of the resource

AWS::EC2::TransitGatewayAttachment

Resource name

No response

Description

When a Transit Gateway VPC attachment is created, the service provisions one ENI per specified subnet with the description Network Interface for Transit Gateway Attachment tgw-attach-xxxxxxxx. These ENIs are created and managed by the AWSServiceRoleForVPCTransitGateway service-linked role. They do not inherit tags from the TGW attachment resource.

Problem

  • Transit Gateway creates one requester-managed ENI per subnet specified in the VPC attachment. Each ENI consumes one IP address from the subnet.
  • These ENIs carry no tags - the description references the attachment ID, but there are no tags linking back to the Transit Gateway, the attachment, or the VPC.
  • ENIs are replaced when subnets are added or removed from the attachment.
  • There is no mechanism -via CloudFormation or the EC2/TGW API- to propagate tags to these ENIs at creation time.

Impact

Organizations enforcing mandatory tagging policies face:

  • Cost allocation gaps: Untagged ENIs cannot be attributed to a project or team.
  • Compliance violations: AWS Config rules like required-tags flag these ENIs as non-compliant.
  • Operational overhead: Workarounds require event-driven Lambda functions to retroactively tag ENIs. ENIs are replaced when attachment subnets change.
  • Multi-account complexity: In hub-and-spoke architectures with many VPC attachments across accounts, the number of untagged TGW ENIs grows quickly.

Expected Behavior

Tags defined on AWS::EC2::TransitGatewayAttachment should be automatically propagated to all ENIs created for the VPC attachment. When ENIs are replaced (e.g., subnet changes), new ENIs should receive the current tags from the parent attachment.

Other Details

  • You must specify at least one subnet, but AWS recommends two for availability. Only one subnet per AZ is allowed.
  • The ENIs are managed via the AWSServiceRoleForVPCTransitGateway service-linked role and cannot be detached or deleted while the attachment exists.
  • The same issue applies to AWS::EC2::TransitGatewayVpcAttachment.

Reproduction

  1. Create a Transit Gateway VPC attachment with tags via CloudFormation: 
    MyTGWAttachment:
  Type: AWS::EC2::TransitGatewayAttachment
  Properties:
    TransitGatewayId: !Ref MyTGW
    VpcId: !Ref MyVPC
    SubnetIds:
      - subnet-aaa
      - subnet-bbb
    Tags:
      - Key: Environment
        Value: production
      - Key: CostCenter
        Value: "12345"
  2. List the TGW attachment ENIs: 
    aws ec2 describe-network-interfaces \
  --filters "Name=description,Values=Network Interface for Transit Gateway Attachment*" \
  --query "NetworkInterfaces[].{ID:NetworkInterfaceId,Desc:Description,Tags:TagSet}"
  3. Observe: TagSet is empty on the Transit Gateway ENIs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions