Ensure that your AWS Elastic Block Store (EBS) volume snapshots are not public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data. Cloud Conformity strongly recommends against sharing your EBS snapshots with all AWS accounts. If required, you can share your volume snapshots with particular AWS accounts without making them publicly accessible.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you share an EBS volume snapshot publicly, you give another AWS account permission to both copy the snapshot and create a volume from it. Most of the time your AWS EBS snapshots will contain mirrors of your applications (including their data), therefore sharing your snapshots in this manner is not recommended.
Audit
To identify any publicly accessible EBS volume snapshots within your AWS account, perform the following:
Case A: To restrict completely the public access to your EBS volume snapshots and make them private (i.e. only accessible from the current AWS account), perform the following:
Case B: To restrict the public access to your EBS volume snapshots but share them with specific AWS accounts, perform the following:
References
- AWS Documentation
- Trusted Advisor Best Practices (Checks)
- Amazon EBS Snapshots
- Sharing an Amazon EBS Snapshot
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-snapshots
- describe-snapshot-attribute
- modify-snapshot-attribute
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Amazon EBS Public Snapshots
Risk level: High