Rule: EBS Snapshots Should Not Be Publicly Restorable
This rule ensures that EBS snapshots are not publicly restorable to maintain data security.
| Rule | EBS snapshots should not be publicly restorable |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description:
EBS (Elastic Block Store) snapshots should not be publicly restorable for FedRAMP Low Revision 4 compliance. This rule is in place to ensure the confidentiality and security of sensitive data stored in EBS snapshots. When EBS snapshots are publicly restorable, it increases the risk of unauthorized access to the data. Therefore, it is necessary to restrict the ability to publicly restore EBS snapshots.
Troubleshooting Steps:
There may be instances where EBS snapshots are publicly restorable due to misconfiguration or oversight. To troubleshoot and remediate this issue, follow the steps below:
- 1.
Identify publicly restorable EBS snapshots: Use the AWS CLI (Command Line Interface) or AWS Management Console to list all the EBS snapshots and check their restore attribute. Look for snapshots that have the public restore attribute enabled.
- 2.
Analyze snapshot permissions: Check the permissions and access controls for the identified snapshots. Ensure that the permissions are correctly configured and limit the access to only authorized accounts or users.
- 3.
Update the snapshot permissions: If you find any snapshots with public restore enabled, update the permissions. Remove the public restore option and restrict the access to only trusted accounts or users.
- 4.
Verify the changes: After updating the permissions, verify that the public restore attribute is disabled for the affected EBS snapshots. Confirm that only authorized accounts or users have the necessary access to restore the snapshots.
Necessary Codes (AWS CLI):
If you prefer using the AWS CLI, you can execute the following commands to perform the steps mentioned above:
- 1.List all EBS snapshots and their restore attributes:
aws ec2 describe-snapshots --query 'Snapshots[*].[SnapshotId,Encrypted,PublicRestorable]'
- 1.Modify snapshot permissions to remove public restore:
aws ec2 modify-snapshot-attribute --snapshot-id <snapshot-id> --no-allow-public-restorable
Note: Replace
<snapshot-id>Remediation Steps:
To remediate the issue and enforce the rule of not allowing publicly restorable EBS snapshots, follow the step-by-step guide below:
- 1.
Identify the affected EBS snapshots: Use the AWS Management Console or AWS CLI to identify the EBS snapshots that have the public restore attribute enabled. Make a list of these snapshots for further analysis.
- 2.
Check snapshot permissions: Review the permissions and access controls for the identified snapshots. Ensure that the appropriate restrictions are in place and only authorized accounts or users have access to the snapshots.
- 3.
Update snapshot permissions: For snapshots with public restore enabled, modify the permissions to disable it. Remove the public restore option and restrict the access to trusted accounts or users only.
- 4.
Verify the changes: Once the permissions have been updated, verify that the affected EBS snapshots no longer have the public restore attribute enabled. Validate that only authorized accounts or users have access to restore the snapshots.
- 5.
Repeat the process regularly: To maintain compliance with the rule, periodically check for new snapshots that may have inadvertently enabled public restore. Follow the same troubleshooting and remediation steps to ensure ongoing adherence to the rule.
By following these steps, you will ensure that EBS snapshots comply with the rule of not being publicly restorable for FedRAMP Low Revision 4 compliance.