Description:

A Snapshot is the state of a system at a particular point in time. They are backups of your instances created and stored in AWS S3 for the recovery purpose of the data.  RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. Amazon RDS creates a storage volume snapshot of your DB cluster, backing up the entire DB cluster and not just individual databases.


Rationale:

If RDS snapshots are public, they open doors for potential leak or misuse of sensitive data or any other kind of security threat. Other AWS users can not only access and copy your data but can also create a volume out of it.


Impact:

The data which is backed up in that snapshot is not accessible to all other AWS accounts.  We could safeguard and protect any public snapshot which may contain any sensitive information which is not supposed to be shared.


Default Value:

Snapshots are public by default. 


Audit:

  • Management console

  1. Sign in to AWS Management console

  2. Navigate to RDS dashboard and click on snapshots in the left pane

  3. Choose a snapshot available in the list

  4. Go to Actions and click on share snapshot

  5. If the setting value is set to Public, the selected Amazon RDS database snapshot is publicly accessible, therefore all AWS accounts and users have access to the data available on the snapshot.

 

  • On CLI

  1. You can view public snapshots owned by other accounts in a particular AWS Region on the Public tab of the Snapshots page in the Amazon RDS console. Your snapshots (those owned by your account) don't appear on this tab.

  2. To view the public snapshots owned by your AWS account in a particular AWS Region :

    aws rds describe-db-snapshots --snapshot-type public --include-public | grep account_number

Remediation:

Pre-Requisite:

  • Have an RDS instance with anyone the AWS supported database engine

  • A snapshot of the RDS instance or cluster.

  • IAM role which has access to RDS


 Implementation steps:

  • Management Console

  1. Open the Amazon RDS console. https://console.aws.amazon.com/rds/

  2. Choose Snapshots from the left navigation pane.

  3. Choose the DB snapshot that you want to copy. It can be either a manual database snapshot or Automatic system backup.

  4. Choose Actions, and then choose Share Snapshot.

  5. Choose the DB snapshot visibility to Private. It permits only AWS accounts that you specify to restore a DB instance from your manual DB snapshot.

  6. In the AWS Account ID field, enter the ID of the AWS account that you want to permit to restore a DB instance from  your manual DB snapshot, and then choose Add. 

    After you have added identifiers for all of the AWS accounts that you want to permit to restore the manual snapshot, choose Save to save your changes.


  • With CLI

To share a DB snapshot, use the aws rds modify-db-snapshot-attribute command. 

Use the --values-to-add parameter to add a list of the IDs for the AWS accounts that are authorized to restore the manual snapshot.

Example of sharing a snapshot with a single account

The following example enables AWS account identifier 123456789012 to restore the DB snapshot named db7-snapshot.

For Linux, macOS, or Unix:

aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier db7-snapshot \
--attribute-name restore \
--values-to-add 123456789012


For Windows:

aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier db7-snapshot ^
--attribute-name restore ^
--values-to-add 123456789012


Example of sharing a snapshot with multiple accounts

The following example enables two AWS account identifiers, 111122223333 and 444455556666, to restore the DB snapshot named manual-snapshot1.

For Linux, macOS, or Unix:

aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier manual-snapshot1 \
--attribute-name restore \
--values-to-add {"111122223333","444455556666"}


For Windows:

aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier manual-snapshot1 ^
--attribute-name restore ^
--values-to-add "[\"111122223333\",\"444455556666\"]"


Backout Plan:

  • Management Console:

  1. To stop sharing a snapshot with an AWS Account, select the Delete check box next to the account ID from the Manage Snapshot Permissions pane, and then choose Save. 

  2. To revoke changes, select the snapshot; go to Actions; choose to share snapshot and select PUBLIC and SAVE.


  • On CLI:

To remove an AWS account identifier from the list, use the --values-to-remove parameter.

Example of stopping snapshot sharing

The following example prevents AWS account ID 444455556666 from restoring the snapshot.

For Linux, macOS, or Unix:

aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier manual-snapshot1 \
--attribute-name restore \
--values-to-remove 444455556666


For Windows:

aws rds modify-db-snapshot-attribute ^
--db-snapshot-identifier manual-snapshot1 ^
--attribute-name restore ^
--values-to-remove 444455556666


Note:

  • You can share snapshots with up to 20 AWS accounts.

  • However, the snapshots that are encrypted with the Default key can’t be shared.


Reference:

https://docs.aws.amazon.com/rds/index.html 

Sharing a DB snapshot - Amazon Relational Database Service