AWS Elastic Block Store (EBS) Volume Snapshots are Not Public

Description:

Amazon Elastic Block Store (EBS) provides the ability to create snapshots of your volumes. These snapshots can be shared with other AWS accounts, or they can be made public, meaning that any AWS account can access them. While sharing can be useful in specific scenarios, making a snapshot public can expose sensitive data and configurations. Therefore, it's critical to ensure that EBS volume snapshots, especially those containing sensitive information, are not set to public.


Remediation:

1. Ensure EBS Volume Snapshots are Private:

AWS Management Console:
  • Navigate to the EC2 service in the AWS Console.
  • In the EC2 dashboard's left navigation pane, click on Snapshots.
  • Select the snapshot you want to check.
  • In the details pane, under the Permissions tab, ensure that the Public option is not selected.
  • If it's public, click on Edit and remove public access.
AWS CLI:

To check the permissions of a snapshot:

aws ec2 describe-snapshot-attribute --snapshot-id YOUR_SNAPSHOT_ID --attribute createVolumePermission

If the snapshot is public, remove the public access:

aws ec2 modify-snapshot-attribute --snapshot-id YOUR_SNAPSHOT_ID --attribute createVolumePermission --operation-type remove --group-names all
Terraform:

If you're using Terraform, ensure that the aws_ebs_snapshot resource doesn't have the all value for the snapshot_id attribute under the aws_ebs_snapshot_public data source.

data "aws_ebs_snapshot_public" "example" {
  most_recent = true

  filter {
    name   = "snapshot-id"
    values = [aws_ebs_snapshot.example.id]
  }

  # Ensure this doesn't exist:
  # owners = ["all"]
}

Recommendation:

Regularly review the permissions of your EBS snapshots to ensure they are not unintentionally made public. If you need to share a snapshot, consider sharing it with specific AWS account IDs rather than making it public. Implement AWS Config rules or custom CloudWatch Alarms to monitor and alert on any snapshots that are made public. Protecting your EBS snapshots from public access prevents unauthorized data access and potential data breaches, safeguarding your organization's data and reputation.