Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Amazon RDS Public Snapshots

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RDS-023

Ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible (i.e. shared with all AWS accounts and users) in order to avoid exposing your private data.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you publicly share an AWS RDS database snapshot, you give another AWS account permission to both copy the snapshot and create database instances from it. Cloud Conformity strongly recommends against sharing your database snapshots with all AWS accounts. If required, you can share your RDS snapshots with a particular (friendly) AWS account without making them public.


Audit

To identify any publicly accessible RDS database snapshots within your AWS account, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Snapshots.

04 Select Manual Snapshots from the Filter dropdown menu to display only manual database snapshots.

05 Select the snapshot that you want to examine.

06 Click Snapshot Actions button from the dashboard top menu and select Share Snapshot option.

07 On the Manage Snapshot Permissions page, check the DB Snapshot Visibility setting. If the setting value is set to Public, the selected Amazon RDS database snapshot is publicly accessible, therefore all AWS accounts and users have access to the data available on the snapshot.

08 Repeat steps no. 5 – 7 to verify the access permissions and visibility for other RDS snapshots available in the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-db-snapshots command (OSX/Linux/UNIX) using custom query filters to list the names (identifiers) of all manual RDS database snapshots available within the selected AWS region:

aws rds describe-db-snapshots
	--region us-east-1
	--snapshot-type manual
	--output table
	--query 'DBSnapshots[*].DBSnapshotIdentifier'

02 The command output should return a table with the requested database identifiers:

---------------------------------
|      DescribeDBSnapshots      |
+-------------------------------+
|  cc-prod-mvp-snapshot         |
|  cc-dev-mvp-final-snapshot    |
|  cc-mysql-aurora-snapshot     |
+-------------------------------+

03 Run describe-db-snapshot-attributes command (OSX/Linux/UNIX) using the name of the database snapshot returned at the previous step as identifier and query filters to check the "AttributeName" attribute set for the selected RDS database snapshot. If "AttributeName" is set to "restore", then this attribute returns a list of IDs of the AWS accounts that are authorized to copy or restore the selected snapshot. If a value of "all" is in the list, the manual DB snapshot is public and available for any AWS account to copy or restore:

aws rds describe-db-snapshot-attributes
	--region us-east-1
	--db-snapshot-identifier cc-prod-mvp-snapshot
	--query 'DBSnapshotAttributesResult.DBSnapshotAttributes'

04 The command output should return information about the permissions to restore RDS instances from the selected snapshot:

{
    "AttributeName": "restore",
    "AttributeValues": [
        "all"
    ]
}

If the "AttributeValues" value returned is "all", the selected Amazon RDS database snapshot is publicly accessible and available for any AWS account to copy or restore it.

05 Repeat steps no. 3 and 4 to verify the access permissions for other manual RDS snapshots available in the current region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

Case A: To restrict completely the public access to your RDS database snapshots and make them private (i.e. only accessible from the current AWS account), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Snapshots.

04 Select Manual Snapshots from the Filter dropdown menu to display only manual database snapshots.

05 Select the RDS snapshot that you want to make private (see Audit section part I to identify the right resource).

06 Click Snapshot Actions button from the dashboard top menu and select Share Snapshot option.

07 On the Manage Snapshot Permissions page, select Private next to DB Snapshot Visibility to make the selected snapshot accessible only from the current AWS account. Click Save to apply the changes.

08 Repeat steps no. 5 – 7 to restrict public access to other RDS database snapshots created within the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run modify-db-snapshot-attribute command (OSX/Linux/UNIX) using the snapshot name as identifier (see Audit section part II to identify the right RDS resource) to remove the permissions for restoring database instances from the selected snapshot and make it private

aws rds modify-db-snapshot-attribute
	--region us-east-1
	--db-snapshot-identifier cc-prod-mvp-snapshot
	--attribute-name restore
	--values-to-remove all

02 The command output should return details about the permissions to restore database instances from the selected snapshot:

{
    "DBSnapshotAttributesResult": {
        "DBSnapshotIdentifier": "cc-prod-mvp-snapshot",
        "DBSnapshotAttributes": [
            {
                "AttributeName": "restore",
                "AttributeValues": []
            }
        ]
    }
}

03 Repeat step no. 1 and 2 to restrict completely the public access to other AWS RDS snapshots available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

Remediation / Resolution

Case B: To restrict the public access to your RDS database snapshots and share them only with specific AWS accounts, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under RDS Dashboard, click Snapshots.

04 Select Manual Snapshots from the Filter dropdown menu to display only manual database snapshots.

05 Select the RDS snapshot that you want to make private (see Audit section part I to identify the right resource).

06 Click Snapshot Actions button from the dashboard top menu and select Share Snapshot.

07 On the Manage Snapshot Permissions page, perform the following actions:

  1. Select Private to make the selected RDS snapshot private.
  2. Within the AWS Account Number box, enter the ID number (e.g. 123456789012) of the AWS account with whom you want to share the selected database snapshot and click Add Permission to confirm the action.
  3. Click Save to apply the new permission changes.

08 Repeat steps no. 5 – 7 to restrict access for other RDS database snapshots available in the current region only to specific AWS accounts.

09 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Execute modify-db-snapshot-attribute command (OSX/Linux/UNIX) using --attribute-name restore and --values-to-remove all attributes to make the selected AWS RDS snapshot private (the command does not produce an output):

aws rds modify-db-snapshot-attribute
	--region us-east-1
	--db-snapshot-identifier cc-prod-mvp-snapshot
	--attribute-name restore
	--values-to-remove all

02 The command output should return metadata about the selected snapshot permissions:

{
    "DBSnapshotAttributesResult": {
        "DBSnapshotIdentifier": "cc-prod-mvp-snapshot",
        "DBSnapshotAttributes": [
            {
                "AttributeName": "restore",
                "AttributeValues": []
            }
        ]
    }
}

03 Now run modify-snapshot-attribute command (OSX/Linux/UNIX) to update the permissions for restoring database instances from the selected snapshot and make it accessible only from a specific (friendly) AWS account. The following command example utilizes the --values-to-add parameter to authorize an AWS account, identified by the ID 123456789012, to copy or restore the selected RDS snapshot (replace the highlighted AWS account ID number with your own ID number):

aws rds modify-db-snapshot-attribute
	--region us-east-1
	--db-snapshot-identifier cc-prod-mvp-snapshot
	--attribute-name restore
	--values-to-add 123456789012

04 The command output should return the snapshot permissions metadata:

{
    "DBSnapshotAttributesResult": {
        "DBSnapshotIdentifier": "cc-prod-mvp-snapshot",
        "DBSnapshotAttributes": [
            {
                "AttributeName": "restore",
                "AttributeValues": []
            }
        ]
    }
}

05 Repeat steps no. 1 – 4 to restrict access for other RDS database snapshots only to specific AWS accounts.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 for other regions.

References

Publication date Feb 9, 2019