Ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible (i.e. shared with all AWS accounts and users) in order to avoid exposing your private data.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you publicly share an AWS RDS database snapshot, you give another AWS account permission to both copy the snapshot and create database instances from it. Cloud Conformity strongly recommends against sharing your database snapshots with all AWS accounts. If required, you can share your RDS snapshots with a particular (friendly) AWS account without making them public.
Audit
To identify any publicly accessible RDS database snapshots within your AWS account, perform the following:
Remediation / Resolution
Case A: To restrict completely the public access to your RDS database snapshots and make them private (i.e. only accessible from the current AWS account), perform the following:
Remediation / Resolution
Case B: To restrict the public access to your RDS database snapshots and share them only with specific AWS accounts, perform the following:
References
- AWS Documentation
- Trusted Advisor Best Practices (Checks)
- How do I share manual Amazon RDS DB snapshots or DB cluster snapshots with another AWS account?
- Sharing a DB Snapshot or DB Cluster Snapshot
- AWS Command Line Interface (CLI) Documentation
- rds
- describe-db-snapshots
- describe-db-snapshot-attributes
- modify-db-snapshot-attribute