Profile Applicability:

  • Level 1

Description:

Amazon DocumentDB allows you to create manual snapshots of your clusters, which can be used for backup or disaster recovery. These snapshots can be either private or public. By default, manual snapshots are private, but it’s important to verify that snapshots are not inadvertently made public, as this could expose sensitive data. This SOP ensures that DocumentDB manual cluster snapshots are not public and that access is properly controlled.

Rationale:

  • Data Privacy: If a manual snapshot is public, the data it contains can be accessed by anyone, potentially violating privacy and compliance regulations.

  • Security: Public snapshots can expose critical data, including credentials, business information, and proprietary data.

  • Compliance: For compliance with standards like HIPAA, PCI-DSS, and SOC 2, data must be protected from unauthorized access. Making a snapshot public could lead to a security breach and non-compliance.

Impact:

Pros:

  • Enhanced Security: By ensuring that snapshots remain private, you minimize the risk of accidental data exposure.

  • Compliance Assurance: Preventing public access to snapshots helps you stay compliant with various data protection regulations.

Cons:

  • Potential Management Overhead: Monitoring and ensuring that snapshots remain private adds operational overhead, but it’s essential for security and compliance.

Default Value:

By default, DocumentDB manual snapshots are private. However, they can be explicitly set to public by modifying their permissions.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBSnapshots

    • rds:ModifyDBSnapshot

    • rds:DeleteDBSnapshot

  • AWS CLI installed and configured.

  • Ensure you have the correct permissions to manage DocumentDB snapshots and snapshot visibility settings.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB under Services.

  3. In the DocumentDB Dashboard, go to Snapshots.

  4. Review the Manual Snapshots section.

  5. Select the manual snapshot you want to check.

  6. In the Snapshot Details section, check if Public Snapshot is marked as Yes.

    • If the Public Snapshot setting is Yes, it means the snapshot is public.

    • If the Public Snapshot setting is No, the snapshot is private.

Using AWS CLI:

  1. To check if a DocumentDB manual snapshot is public, run the following command:

    aws rds describe-db-snapshots --db-snapshot-identifier <snapshot-id> --query 'DBSnapshots[*].{SnapshotId:DBSnapshotIdentifier,Public:Public}'

  2. Review the output:

  • If Public is true, the snapshot is public.

  • If Public is false, the snapshot is private.

  1. To make the snapshot private if it’s public, run:

    aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-id> --no-public

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon DocumentDB.

  2. In the DocumentDB Dashboard, go to Snapshots and select the manual snapshot you want to review.

  3. In the Snapshot Details section, if Public Snapshot is enabled, disable it:

    • Click on the Modify option.

    • Change the Public Snapshot setting to No (private).

    • Save the changes to ensure the snapshot is private.

Using AWS CLI:

  1. To modify the snapshot to make it private, run:

    aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-id> --no-public

  2. Verify that the snapshot is now private:

    aws rds describe-db-snapshots --db-snapshot-identifier <snapshot-id> --query 'DBSnapshots[*].{SnapshotId:DBSnapshotIdentifier,Public:Public}'

Backout Plan:

Using AWS Console:

  1. If changing the snapshot visibility causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB, select the snapshot, and change the visibility back to Public (if required for troubleshooting).

  3. Save the changes and monitor the snapshot to ensure that visibility settings are as intended.

Using AWS CLI:

  1. If needed, revert the snapshot visibility back to public by running:

    aws docdb modify-db-snapshot-attributes --db-cluster-snapshot-identifier <SNAPSHOT_ID> --attribute-name restore --values-to-add <YOUR_ACCOUNT_ID>

  2. Verify that the visibility has been updated:

    aws docdb describe-db-snapshots --db-cluster-snapshot-identifier <SNAPSHOT_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.