Ensure that your AWS Elastic Block Store (EBS) volume snapshots are not public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data. Cloud Conformity strongly recommends against sharing your EBS snapshots with all AWS accounts. If required, you can share your volume snapshots with particular AWS accounts without making them publicly accessible.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you share an EBS volume snapshot publicly, you give another AWS account permission to both copy the snapshot and create a volume from it. Most of the time your AWS EBS snapshots will contain mirrors of your applications (including their data), therefore sharing your snapshots in this manner is not recommended.
Audit
To identify any publicly accessible EBS volume snapshots within your AWS account, perform the following:
Case A: To restrict completely the public access to your EBS volume snapshots and make them private (i.e. only accessible from the current AWS account), perform the following:
Case B: To restrict the public access to your EBS volume snapshots but share them with specific AWS accounts, perform the following:
References
- AWS Documentation
- Trusted Advisor Best Practices (Checks)
- Amazon EBS Snapshots
- Sharing an Amazon EBS Snapshot
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-snapshots
- describe-snapshot-attribute
- modify-snapshot-attribute