This rule ensures that Amazon EBS snapshots are not public, protecting data security. Critical severity with 307 total compliance count.
Rule | Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Critical |
Rule Description
Amazon Elastic Block Store (EBS) snapshots should not be publicly accessible to ensure the security and privacy of your data. By following this rule, you adhere to the AWS Foundational Security Best Practices and safeguard your EBS snapshots from unauthorized access and potential data breaches.
Troubleshooting Steps
If your EBS snapshots are found to be publicly accessible, you should take immediate action to restrict access and secure your data.
Identify Publicly Accessible EBS Snapshots: Use the AWS Management Console or AWS Command Line Interface (CLI) to identify any EBS snapshots that are public.
AWS Management Console: Go to the EC2 Dashboard, navigate to the "Snapshots" section, and review the permissions of your snapshots.
AWS CLI: Run the following command to list snapshots and check if they have public permissions:
aws ec2 describe-snapshots --query 'Snapshots[?Attributes.CreateVolumePermission.0.Group == "all"].{SnapshotId:SnapshotId}'
Restrict Public Access: Once you have identified the publicly accessible snapshots, you must revoke the public permissions.
AWS Management Console: Select the snapshot(s) and modify their permissions. Remove the "Public" permission from the list of users and groups.
AWS CLI: Run the following command to revoke the public permissions:
aws ec2 modify-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission --group all --operation-type remove
Necessary Codes
There are no specific codes required for this rule. The necessary actions involve using the AWS Management Console or AWS CLI commands described in the troubleshooting steps.
Step-by-Step Guide for Remediation
Follow these steps to remediate the issue of publicly accessible Amazon EBS snapshots:
Log in to the AWS Management Console or open the AWS CLI.
If using the AWS Management Console:
Identify the snapshots that have public permissions.
If necessary, note down the snapshot IDs or keep the console open for reference.
For each publicly accessible snapshot:
Verify that the snapshots' permissions have been updated and are no longer public.
Repeat steps 5 and 6 for any other publicly accessible snapshots identified.
Once all necessary snapshots have been updated, ensure that future snapshots are not set to be public.
By following these steps, you will successfully restrict public access to your Amazon EBS snapshots and comply with the AWS Foundational Security Best Practices.