Description:

Elastic Block Store is a web service that provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used as a hard drive. If EBS Snapshots are made public, unauthorized users may be able to gain access to the data on the server. Ensure there are no EBS Snapshots set as Public.  We can achieve the same by modifying the permissions of a snapshot, you can share it with the AWS accounts that you specify.

Rationale:

Allowing public access to EBS Snapshots content may aid an adversary in identifying weaknesses in the affected account's use or configuration or data on the server.

Impact:

By modifying the permissions of a snapshot, you can share it with the AWS accounts that you specify. Users that you have authorized can use the snapshots you share as the basis for creating their own EBS volumes, while your original snapshot remains unaffected.

Default value:

By default, the EBS snapshot is private.

Audit:

  1. Sign in to the AWS Management console 

  2. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/

  3. Choose Snapshots under Elastic Block Store in the left navigation pane.

  4. Select the snapshot you want to examine, it shows up the details in the bottom panel

  5. Click on the Permissions tab and check the snapshot access permissions.

  6.  If the EC2 dashboard displays the following status: "This snapshot is currently Public.", then the selected EBS volume snapshot is publicly accessible


Remediation:

Pre-requisites:

  1. Sign in as an admin or IAM user with the required permissions

  2. If the selected snapshot is publicly accessible then only follow the implementation steps

 Implementation Steps:

  1. Sign in to AWS Management Console

  2. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/

  3. Choose Snapshots in the navigation pane.

  4. Select the snapshot that you want to change. 

  5. Click on the Actions button on the top and select Modify Permissions

  6. In the Modify Permissions dialog box, perform the following actions:

    1. Select Private to make the selected EBS snapshot private.

    2. Within the AWS Account Number box, enter the ID number of the AWS account with whom you want to share the selected volume snapshot and click Add Permission to confirm the action.

    3. Click Save to apply the changes.


CLI Remediation:

aws ec2 modify-snapshot-attribute
  --region us-east-1
  --snapshot-id snap-0ee33391e721cfe2f
  --attribute createVolumePermission
  --operation-type add
  --user-ids 123456789012


Backout plan:

To make the snapshot publicly accessible follow the implementation steps and select public in Modify Permissions dialog box opened and click on save.

 

Reference: