Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Amazon EBS Public Snapshots

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: EBS-009

Ensure that your AWS Elastic Block Store (EBS) volume snapshots are not public (i.e. publicly shared with other AWS accounts) in order to avoid exposing personal and sensitive data. Cloud Conformity strongly recommends against sharing your EBS snapshots with all AWS accounts. If required, you can share your volume snapshots with particular AWS accounts without making them publicly accessible.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you share an EBS volume snapshot publicly, you give another AWS account permission to both copy the snapshot and create a volume from it. Most of the time your AWS EBS snapshots will contain mirrors of your applications (including their data), therefore sharing your snapshots in this manner is not recommended.


Audit

To identify any publicly accessible EBS volume snapshots within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.

04 Select the volume snapshot that you want to examine.

05 Select Permissions tab from the dashboard bottom panel and check the snapshot access permissions. If the selected EBS volume snapshot is publicly accessible, the EC2 dashboard will display the following status: "This snapshot is currently Public.".

06 Repeat steps no. 4 and 5 to verify the access permissions for other EBS volume snapshots available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-snapshots command (OSX/Linux/UNIX) using custom filtering to list the IDs of all EBS volume snapshots owned by the AWS account, identified by the ID 123456789012, available in the selected region (replace the highlighted number, i.e. AWS account ID, with your own ID number):

aws ec2 describe-snapshots
	--region us-east-1
	--owner-ids 123456789012
	--filters Name=status,Values=completed
	--output table
	--query 'Snapshots[*].SnapshotId'

02 The command output should return the EBS snapshot IDs requested:

----------------------------
|     DescribeSnapshots    |
+--------------------------+
|  snap-0ee33391e721cfe2f  |
|  snap-0b82cb946915a7e4f  |
|  snap-0a19e59873298d777  |
|  snap-0a90c29fc1b5664c9  |
+--------------------------+

03 Run describe-snapshot-attribute command (OSX/Linux/UNIX) using the ID of the EBS snapshot returned at the previous step as identifier and query filters to check the "createVolumePermission" attribute value set for the selected EBS volume snapshot. The "createVolumePermission" command attribute holds a list of permissions for creating EBS volumes from the selected snapshot:

aws ec2 describe-snapshot-attribute
	--region us-east-1
	--snapshot-id snap-0ee33391e721cfe2f
	--attribute createVolumePermission
	--query 'CreateVolumePermissions[]'

04 The command output should return information about the permissions for creating EBS volumes from the selected snapshot:

{
    "Group": "all"
}

If the command output returned is "Group": "all", the selected Amazon EBS volume snapshot is accessible to all AWS accounts and users. "Group": "all" means everyone can create EBS volumes from the selected snapshot.

05 Repeat steps no. 3 and 4 to verify the permissions for creating volumes from other EBS snapshots available in the current region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

Case A: To restrict completely the public access to your EBS volume snapshots and make them private (i.e. only accessible from the current AWS account), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Elastic Block Store, click Snapshots.

04 Select the EBS snapshot that you want to make private (see Audit section part I to identify the right resource).

05 Select Permissions tab from the dashboard bottom panel and click the Edit button to update the access permissions for the selected volume snapshot.

06 Inside Modify Permissions dialog box, within This snapshot is currently section, select Private then click Save. The selected snapshot permissions status should change to "This snapshot is currently Private.".

07 Repeat steps no. 4 – 6 to restrict public access to other EBS volume snapshots created within the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run modify-snapshot-attribute command (OSX/Linux/UNIX) using the snapshot ID as identifier (see Audit section part II to identify the right EBS resource) to update the permissions for creating volumes from the selected snapshot and make it private (the command does not produce an output):

aws ec2 modify-snapshot-attribute
	--region us-east-1
	--snapshot-id snap-0ee33391e721cfe2f
	--attribute createVolumePermission
	--operation-type remove
	--group-names all

02 Repeat step no. 1 to restrict completely the public access to other AWS EBS snapshots available within the current region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 for other regions.

Case B: To restrict the public access to your EBS volume snapshots but share them with specific AWS accounts, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under ELASTIC BLOCK STORE section, choose Snapshots.

04 Select the EBS snapshot that you want to make private (see Audit section part I to identify the right resource).

05 Select Permissions tab from the dashboard bottom panel and click the Edit button to update the selected volume snapshot access permissions.

06 Inside Modify Image Permissions dialog box, perform the following actions:

  1. Select Private to make the selected EBS snapshot private.
  2. Within the AWS Account Number box, enter the ID number (e.g. 123456789012) of the AWS account with whom you want to share the selected volume snapshot and click Add Permission to confirm the action.
  3. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 to restrict access for other EBS volume snapshots available in the current region only to specific AWS accounts.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 First, execute modify-snapshot-attribute command (OSX/Linux/UNIX) using --operation-type remove and --group-names all attributes to make the selected AWS EBS snapshot private (the command does not produce an output):

aws ec2 modify-snapshot-attribute
	--region us-east-1
	--snapshot-id snap-0ee33391e721cfe2f
	--attribute createVolumePermission
	--operation-type remove
	--group-names all

02 Then run again modify-snapshot-attribute command (OSX/Linux/UNIX) to update the permissions for creating volumes from the selected snapshot and make it accessible only from specific (friendly) AWS account using the, --operation-type add parameter – replace the highlighted AWS account ID number with your own ID number (the command does not return an output):

aws ec2 modify-snapshot-attribute
	--region us-east-1
	--snapshot-id snap-0ee33391e721cfe2f
	--attribute createVolumePermission
	--operation-type add
	--user-ids 123456789012

03 Repeat step no. 1 and 2 to restrict access for other EBS volume snapshots only to specific AWS accounts.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

Publication date Feb 9, 2019