Profile Applicability:

  • Level 1

Description:

Amazon RDS Snapshots and Cluster Snapshots are backup copies of your RDS instances and clusters. By default, RDS snapshots are private, meaning only the AWS account that created them can access them. However, if snapshots are made public, any AWS account can access them, which can lead to security and data leakage risks. This SOP ensures that RDS snapshots and cluster snapshots are not public to maintain data confidentiality and security.

Rationale:

  • Security: Publicly accessible snapshots can lead to unauthorized access and potential data breaches. Ensuring snapshots remain private ensures data security.

  • Compliance: For organizations following compliance frameworks like PCI-DSS, SOC 2, or HIPAA, keeping backups private is essential to meet regulatory requirements for data protection.

  • Best Practices: Following AWS security best practices requires ensuring that backup data is not exposed to the public.

Impact:

Pros:

  • Prevents Data Exposure: By ensuring snapshots remain private, you mitigate the risk of sensitive data being exposed to unauthorized parties.

  • Compliance: Ensures compliance with data protection regulations and security best practices.

  • Risk Mitigation: Reduces the risk of accidental or intentional data leaks.

Cons:

  • Access Restrictions: While ensuring privacy, it might require more complex management of access for team members who need to work with the snapshots.

  • Additional Monitoring: You will need to implement monitoring processes to ensure that snapshots are not unintentionally made public.

Default Value:

By default, RDS snapshots and Cluster snapshots are private. They must be explicitly made public by the user or the AWS account performing the snapshot operation.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBSnapshots

    • rds:ModifyDBSnapshot

    • rds:DescribeDBClusterSnapshots

    • rds:ModifyDBClusterSnapshot

  • AWS CLI installed and configured.

  • Ensure you have access to all RDS snapshots and cluster snapshots for the AWS account you are auditing.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Snapshots.

  4. Review all RDS Snapshots and Cluster Snapshots listed in the Snapshots section.

  5. For each snapshot, check the Public status:

    • If Public is set to Yes, the snapshot is public, and it needs to be made private.

    • If Public is set to No, the snapshot is private, as it should be.

  6. If any snapshot is public, click on the snapshot, then select Modify and ensure Public Snapshot is set to No.

  7. Save the changes and verify that the snapshot is now private.

Using AWS CLI:

  1. To check if RDS snapshots are public, run the following command:

    aws rds describe-db-snapshots --query 'DBSnapshots[*].{DBSnapshotIdentifier:DBSnapshotIdentifier,Public:Public}'

  2. Review the output:

  • If Public is true, the snapshot is public.

  • If Public is false, the snapshot is private.

  1. To modify a snapshot to make it private, run:

    aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-id> --no-public

  2. To check Cluster Snapshots, use the following command:

    aws rds describe-db-cluster-snapshots --query 'DBClusterSnapshots[*].{DBClusterSnapshotIdentifier:DBClusterSnapshotIdentifier,Public:Public}'

  3. Review the output and repeat the modification if the snapshot is public:

    aws rds modify-db-cluster-snapshot --db-cluster-snapshot-identifier <snapshot-id> --no-public

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, go to Snapshots and check the list of RDS Snapshots and Cluster Snapshots.

  3. If any snapshot is marked as public, click on it, select Modify, and change the Public Snapshot option to No.

  4. Click Continue, and then Apply Changes to make the snapshot private.

  5. Repeat the process for all snapshots to ensure no snapshots are public.

Using AWS CLI:

  1. To check for public RDS snapshots, run:

    aws rds describe-db-snapshots --query 'DBSnapshots[*].{DBSnapshotIdentifier:DBSnapshotIdentifier,Public:Public}'

  2. For Cluster Snapshots, run:

    aws rds describe-db-cluster-snapshots --query 'DBClusterSnapshots[*].{DBClusterSnapshotIdentifier:DBClusterSnapshotIdentifier,Public:Public}'

  3. To make a snapshot private, use:

    aws rds modify-db-snapshot --db-snapshot-identifier <snapshot-id> --no-public

  4. For cluster snapshots, use:

    aws rds modify-db-cluster-snapshot --db-cluster-snapshot-identifier <snapshot-id> --no-public

Backout Plan:

Using AWS Console:

  1. If changing the public snapshot setting causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the snapshot, and click Modify.

  3. Re-enable public access if required (not recommended for security reasons).

  4. Save the changes and verify that the snapshot is public again.

Using AWS CLI:

  1. To revert the snapshot back to public access (though not recommended for security), run the following command:

    aws rds modify-db-snapshot --db-snapshot-identifier <SNAPSHOT_ID> --public true

  2. Verify that the snapshot is now public:

    aws rds describe-db-snapshots --db-snapshot-identifier <SNAPSHOT_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.