Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon Elastic Block Store (EBS) snapshots are not publicly shared. Public EBS snapshots can be accessed by any AWS account, potentially exposing sensitive data such as system configurations, application data, or personally identifiable information (PII). Restricting snapshot access ensures that only authorized accounts or individuals can view or restore data from EBS backups. 

Rationale:

Publicly shared EBS snapshots are a significant data exposure risk. Attackers can copy and inspect snapshot contents if they are accessible publicly, leading to data breaches and compliance violations. Limiting snapshot permissions to specific AWS accounts or keeping them private ensures secure storage and data confidentiality. This aligns with security frameworks like CIS, SOC 2, ISO 27001, and NIST 800-53, which require strict control over data access and backup protection. 

Impact:

  • Positive Impact: Prevents unauthorized data exposure and strengthens data protection and compliance posture.

  • Negative Impact: May restrict legitimate external data sharing, requiring explicit sharing configurations for trusted AWS accounts. 

Default Value:

By default, newly created EBS snapshots are private and accessible only within the owning AWS account. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSnapshots, ec2:ModifySnapshotAttribute, ec2:DescribeSnapshotAttribute. 

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Snapshots.

  3. Select each snapshot and view the Permissions tab.

  4. Review the “Shared with” column:

    • If Public is selected or listed, the snapshot is non-compliant.

    • If only specific AWS account IDs are listed, it is compliant.

  5. Ensure all EBS snapshots are private or shared only with approved accounts.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Snapshots.

  2. Select any snapshot that is publicly shared.

  3. Click Actions → Modify Permissions.

  4. Uncheck Public access.

  5. (Optional) If sharing is required, specify trusted AWS account IDs under “Shared with specific accounts.”

  6. Click Save changes.

  7. Verify that the snapshot’s access level is now set to Private.

Backout Plan:

Using AWS Console:

  1. If temporary public sharing was required for data migration or testing, ensure the snapshot is returned to Private immediately after use.
  2. Maintain an audit trail of all snapshots and their sharing history for compliance reporting.


References: