AWS RDS Snapshots Are Not Public

Description:

Amazon Relational Database Service (RDS) allows users to create snapshots of their database instances. While these snapshots can be shared among different AWS accounts for legitimate reasons, they can also be made public, meaning any AWS user can access them. Public RDS snapshots can potentially expose sensitive data and configurations. To protect your data and maintain a strong security posture, it's essential to ensure that RDS snapshots are not set to public accessibility.

Remediation:

1. Ensure RDS Snapshots are Private:

AWS Management Console:
  • Navigate to the RDS service in the AWS Console.
  • In the RDS dashboard's left navigation pane, click on Snapshots.
  • Select the snapshot you want to check.
  • In the details pane, under the Snapshot tab, check the Public accessibility column. If it says Yes, the snapshot is public.
  • To modify its access, click on the snapshot, then select Actions > Modify.
  • In the Modify Snapshot window, set Public Accessibility to No and click Modify.
AWS CLI:

To check the permissions of a snapshot:

aws rds describe-db-snapshot-attributes --db-snapshot-identifier YOUR_SNAPSHOT_ID

If the snapshot is public, modify its attributes to remove public access:

aws rds modify-db-snapshot-attribute --db-snapshot-identifier YOUR_SNAPSHOT_ID --attribute-name restore --values-to-add all
Terraform:

If you're using Terraform, ensure that the aws_db_snapshot resource doesn't contain public accessibility attributes:

resource "aws_db_snapshot" "example" {
  db_instance_identifier = aws_db_instance.example.id
  # Ensure the following attribute doesn't exist or is set to false:
  # public = true
}

Recommendation:

Always monitor and review the permissions of your RDS snapshots to prevent them from becoming publicly accessible. If there's a need to share an RDS snapshot, share it specifically with the required AWS account IDs rather than setting it to public access. Employ AWS Config rules, or establish custom CloudWatch Alarms to monitor and alert on any snapshots that are made public. Ensuring your RDS snapshots are private is crucial to preventing unauthorized data exposure and potential data breaches, thereby protecting your organization's data integrity and reputation.

Updated 5 months ago