Profile Applicability:
- Level 1
Description:
To protect your organization's data, it is important to ensure that public access to EBS snapshots is disabled. By default, EBS snapshots can be shared with all AWS accounts, but this can expose sensitive data to unintended parties. Disabling public access prevents accidental leaks and unauthorized access to snapshot data.
Rationale:
EBS snapshots can contain sensitive data, including system configurations, application data, or secrets. Allowing public access to snapshots means that anyone with an AWS account can view or copy your snapshot. Disabling public access ensures that sensitive information is only accessible to authorized accounts within your organization, protecting against potential data breaches or misuse of your data.
Impact:
Pros:
Increased security by ensuring that EBS snapshots are not publicly accessible.
Prevents accidental exposure of sensitive data to unauthorized AWS accounts.
Helps maintain compliance with security standards that require data protection at rest.
Cons:
Requires active monitoring of snapshot permissions to ensure public access is never inadvertently enabled.
Additional administrative overhead for managing access permissions for specific users or accounts.
Default Value:
By default, EBS snapshots are private. However, AWS allows snapshots to be shared with all AWS accounts, making it possible for snapshots to be accidentally made public.
Pre-requisites:
AWS IAM permissions to manage EBS snapshots and their permissions:
ec2:DescribeSnapshots, ec2:ModifySnapshotAttribute, ec2:CopySnapshot
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, under Elastic Block Store, click Snapshots.
Select a snapshot from the list.
Click on Actions and then Modify Permissions.
In the Modify Snapshot Permissions dialog, confirm that the snapshot is set to Private.
Repeat the above steps for any additional snapshots across different regions and AWS accounts.
Using AWS CLI:
For each snapshot, run the following command to check the permissions:
aws ec2 describe-snapshot-attribute \ --snapshot-id <snapshot-ID> \ --attribute createVolumePermission
Validate that the Group is not set to all, which indicates public access.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
Under Elastic Block Store, click on Snapshots.
Select the snapshot you wish to modify.
Click on Actions, then Modify Permissions.
Ensure that the Private radio button is selected to disable public access.
If you need to share the snapshot with specific AWS accounts, you can add them under the Private section by specifying the AWS Account Numbers.
Click Save to apply the changes.
Repeat the process for any other snapshots that require modification.
Using AWS CLI:
To set the snapshot to private, run the following command:
aws ec2 modify-snapshot-attribute \ --snapshot-id <snapshot-ID> \ --attribute createVolumePermission \ --operation remove --group-name all
Verify that the snapshot permissions have been updated:
aws ec2 describe-snapshot-attribute \ --snapshot-id <snapshot-ID> \ --attribute createVolumePermission
Backout Plan:
Using AWS Console:
If changes made to the snapshot permissions cause issues, log in to the EC2 Console.
Under Snapshots, select the modified snapshot.
Click Actions, then Modify Permissions, and ensure that the Public option is selected if necessary.
Click Save to revert the changes.
Using AWS CLI:
If reverting to public access is required, run the following command:
aws ec2 modify-snapshot-attribute \ --snapshot-id <snapshot-ID> \ --attribute createVolumePermission \ --operation add --group-name all
Verify that the snapshot permissions have been reverted to public:
aws ec2 describe-snapshot-attribute \ --snapshot-id <snapshot-ID> \ --attribute createVolumePermission
References:
CIS Controls: