Rule: EBS Snapshots Should Not Be Publicly Restorable
This rule ensures that EBS snapshots are not publicly restorable to maintain data security.
| Rule | EBS snapshots should not be publicly restorable |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
The rule states that EBS (Elastic Block Store) snapshots should not be publicly restorable, in accordance with the NIST (National Institute of Standards and Technology) 800-53 Revision 5 security guidelines. This is to ensure the confidentiality and integrity of data stored in EBS snapshots and to prevent unauthorized access or restoration by unauthorized individuals.
Troubleshooting Steps
If you encounter any issues related to EBS snapshots being publicly restorable, you can follow these troubleshooting steps:
- 1.
Verify Snapshot Permissions: Check the permissions associated with the EBS snapshots. Ensure that the snapshot is not configured with a publicly accessible permission.
- 2.
Review IAM Policies: Validate the IAM (Identity and Access Management) policies associated with the AWS (Amazon Web Services) account. Ensure that there are no policies allowing public access to EBS snapshots.
- 3.
Review EBS Snapshot Sharing: Check if the EBS snapshots are being shared with other AWS accounts. Ensure that the sharing is limited to trusted accounts and not publicly accessible.
- 4.
Monitor CloudTrail Logs: Analyze the AWS CloudTrail logs to identify any suspicious activities related to EBS snapshot restoration or changes to snapshot permissions. Investigate and mitigate any unauthorized access or modifications.
Necessary Codes
There are no specific codes associated with this rule. However, you may need to write AWS CLI (Command Line Interface) commands to verify and modify the permissions of EBS snapshots if necessary.
Step-by-Step Guide for Remediation
Follow these step-by-step instructions to ensure EBS snapshots are not publicly restorable:
- 1.Verify Snapshot Permissions
To check the permissions associated with a specific EBS snapshot, use the following AWS CLI command:
aws ec2 describe-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission
Replace
<snapshot-id>- 1.Ensure EBS Snapshots Are Not Publicly Accessible
If the above command returns any output containing
"Group": "all"aws ec2 modify-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission --operation-type remove --user-ids all
Replace
<snapshot-id>- 1.Review and Update IAM Policies
Review the IAM policies associated with your AWS account or relevant IAM roles. Ensure that there are no policies allowing public access to EBS snapshots. Remove or modify any policies that grant such permissions to restrict public restoration.
- 1.Audit and Restrict Snapshot Sharing
Check if the EBS snapshots are being shared with other AWS accounts. Use the AWS CLI command below to list the snapshot attributes, including the accounts the snapshots are shared with:
aws ec2 describe-snapshots --owner-ids self --query 'Snapshots[*].{ID: SnapshotId, SharedWith: [UserIds, AccountAliases]}' --output table
Ensure that sharing is limited to trusted AWS accounts, and if any unauthorized sharing is noticed, remove the sharing or modify the permissions accordingly.
- 1.Monitor CloudTrail Logging
Enable detailed AWS CloudTrail logging to capture any events related to EBS snapshot restoration or changes in snapshot permissions. Continuously monitor the CloudTrail logs and configure appropriate alerts to identify any unauthorized access or modifications. Investigate and remediate any suspicious activities accordingly.
By following these steps, you can ensure that EBS snapshots are not publicly restorable and comply with the NIST 800-53 Revision 5 security guidelines.