Profile Applicability:

 Level 2

Description

Amazon Elastic Block Store (EBS) snapshots are used to back up EBS volumes, providing a reliable mechanism for data recovery and replication. However, making EBS snapshots public poses a significant security risk as unauthorized individuals can access sensitive data. To enhance security, ensure that public access to EBS snapshots is disabled.

Rationale

  • Enhanced Security: Protects sensitive data stored in snapshots from unauthorized access.

  • Compliance: Ensures adherence to security best practices and regulatory requirements.

  • Risk Mitigation: Reduces exposure to potential data breaches and attacks.

Impact

Pros:

  • Safeguards sensitive information in EBS snapshots.

  • Reduces the risk of unauthorized access or data leaks.

  • Aligns with compliance and data protection standards.

Cons:

  • Requires periodic verification to ensure snapshots remain private.

  • May need adjustments if snapshots are intentionally shared within trusted accounts.

Default Value

By default, EBS snapshots are private. However, they can be explicitly shared publicly, so regular audits are recommended.

Pre-Requisite

IAM Permissions:

  • ec2:DescribeSnapshots

  • ec2:ModifySnapshotAttribute

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Select the Snapshots option from the left-hand menu.

  4. For each snapshot, check the Permissions tab.

  5. Verify that the "Public" option is not selected.

Using AWS CLI:

Identify Public Snapshots:

aws ec2 describe-snapshots --owner-ids self --query "Snapshots[?Public==`true`].SnapshotId"

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Select the Snapshots option from the left-hand menu.

  4. For any snapshots marked as "Public":

    • Open the Permissions tab.

    • Remove public permissions to make the snapshot private.

  5. Save the changes.

Using AWS CLI:

Disable Public Access:

aws ec2 modify-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission --operation-type remove --group all

Verify the Changes:

aws ec2 describe-snapshots --snapshot-ids <snapshot-id> --query "Snapshots[*].Permissions"

Backout Plan

If restricting public access causes issues: Using AWS Console:

  1. Re-enable public access for specific snapshots that require sharing.

  2. Document and monitor the shared snapshots.

Using AWS CLI:

Add Public Access Back:

aws ec2 modify-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission --operation-type add --group all

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like disabling public snapshot access.