Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EBS Volumes Recent Snapshots

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EBS-004

Ensure that your EBS volumes (available or in-use) have recent snapshots (taken weekly) available for point-in-time recovery for a better, more reliable data backup strategy. The threshold for the time frame between the volume snapshots is 7 days, meaning there should be a snapshot taken at least every 7 days.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Creating point-in-time EBS snapshots periodically will allow you to handle efficiently your data recovery process in the event of a failure, to save your data before shutting down an EC2 instance, to back up data for geographical expansion and to maintain your disaster recovery stack up to date.

Audit

To determine if you have any recent (< 7 days) snapshots available for your EBS volumes, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Snapshots.

04 Select the EBS volume snapshot that you need to examine.

05 Select the Description tab from the bottom panel.

06 Under Volume ID check for the Started parameter value to determine the date and time when the selected snapshot was taken:

heck for the Started parameter value

If the volume snapshot has been created more than 7 days ago, you must take a new snapshot (see Remediation / Resolution section). Note: In certain instances, for example if a user creates an EBS-backed EC2 instance, takes a snapshot of the EBS volume, terminates the instance and creates a new EBS volume from that snapshot, the information visible in the AWS console may be confusing. For example: The “snapshot ID” field for a given volume may show an existing snapshot, but the “volume ID” field for that snapshot will not match the given volume, as the volume it did match has been terminated.

07 Repeat step no. 4, 5 and 6 for each EBS snapshot available in the current region. Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

to repeat the process for the other regions.

Using AWS CLI

01 Run describe-snapshots command (OSX/Linux/UNIX) to determine if your EBS volume snapshots are older than 7 days. The next example expose the metadata for each completed snapshot available in the US East region, for the AWS account with the ID 353366855517: 

aws ec2 describe-snapshots
	--owner-ids 353366855517
	--region us-east-1
	--filters Name=status,Values=completed

02 The command output should reveal the creation date and time for each snapshot available in the selected region. Check the StartTime parameter value to determine if there are any snapshots older than 7 days: 

{
    "Snapshots": [
        {
            "Description": "EBS Snapshot March 2016",
            "Encrypted": false,
            "VolumeId": "vol-78ad1aa9",
            "State": "completed",
            "VolumeSize": 15,
            "Progress": "100%",
            "StartTime": "2016-03-18T10:26:08.000Z",
            "SnapshotId": "snap-6ae87605",
            "OwnerId": "353366855517"
        },
	       ...
        {
            "Description": "EBS attached volume",
            "Encrypted": false,
            "VolumeId": "vol-44853295",
            "State": "completed",
            "VolumeSize": 15,
            "Progress": "100%",
            "StartTime": "2016-03-22T11:43:31.000Z",
            "SnapshotId": "snap-8ad1379f",
            "OwnerId": "353366855517"
        }
    ]
}

Remediation / Resolution

To maintain your EBS backup stack up-to-date, you need to create new EBS snapshots. To complete the process perform the following:

Note: if you have encrypted EBS volumes, any associated snapshots should remain also protected as the snapshots taken from encrypted volumes are automatically encrypted.

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Volumes.

04 Select the EBS volume that you need to back up.

05 Click Actions dropdown button from the dashboard top menu and select Create Snapshot:

Click Actions dropdown button from the dashboard top menu and select Create Snapshot

06 In the Create Snapshot dialog box, provide a name and a description for the volume snapshot and click Create.

07 Repeat step no. 4, 5 and 6 for each EBS volume (available or in-use) within the current region. Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

to repeat the same process for the other regions.

Using AWS CLI

01 Run create-snapshot command (OSX/Linux/UNIX) to create a new snapshot from your selected volume (regardless the volume encryption status). The following example use an EBS volume with the ID vol-78ad1aa9: 

aws ec2 create-snapshot
	--volume-id vol-78ad1aa9

02 The command output should return the new EBS snapshot metadata. The current state for the snapshot should be pending: 

{
    "Description": "",
    "Encrypted": false,
    "VolumeId": "vol-78ad1aa9",
    "State": "pending",
    "VolumeSize": 15,
    "Progress": "",
    "StartTime": "2016-04-18T13:33:50.000Z",
    "SnapshotId": "snap-009d1314",
    "OwnerId": "123456789012"
}

03 Run describe-snapshots command (OSX/Linux/UNIX) to determine the state of the newly created snapshot:

aws ec2 describe-snapshots
	--snapshot-id snap-009d1314

04 The command output should return the current snapshot state. If the State parameter value is completed, the EBS volume snapshot has been successfully created: 

{
    "Snapshots": [
        {
            "Description": "",
            "Encrypted": false,
            "VolumeId": "vol-78ad1aa9",
            "State": "completed",
            "VolumeSize": 15,
            "Progress": "100%",
            "StartTime": "2016-04-18T13:33:50.000Z",
            "SnapshotId": "snap-009d1314",
            "OwnerId": "123456789012"
        }
    ]
}

References

Publication date Apr 18, 2016

Related EBS rules