Ensure that your AWS Elastic Block Store (EBS) volume snapshots are not public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data. Cloud Conformity strongly recommends against sharing your EBS snapshots with all AWS accounts. If required, you can share your volume snapshots with particular AWS accounts without making them publicly accessible.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you share an EBS volume snapshot publicly, you give another AWS account permission to both copy the snapshot and create a volume from it. Most of the time your AWS EBS snapshots will contain mirrors of your applications (including their data), therefore sharing your snapshots in this manner is not recommended.
To identify any publicly accessible EBS volume snapshots within your AWS account, perform the following:
Case A: To restrict completely the public access to your EBS volume snapshots and make them private (i.e. only accessible from the current AWS account), perform the following:
Case B: To restrict the public access to your EBS volume snapshots but share them with specific AWS accounts, perform the following:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Amazon EBS Public Snapshots
Risk level: High