Ensure EBS snapshots are not publicly accessible

Error: EBS snapshots are publicly accessible

Bridgecrew Policy ID: BC_AWS_PUBLIC_7
Severity: HIGH

EBS snapshots are publicly accessible

Description

EBS is a block storage service provided by AWS, used to store persistent data. Amazon EBS is suitable for EC2 instances by providing block-level storage volumes. There are three main varieties of volumes: General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic. They differ in performance, characteristics, and cost. AWS enables creating multiple snapshots of these volumes. A Snapshot is basically an incremental backup created for the data stored in EBS volumes.

We recommend your EBS snapshots are not publicly accessible. Public AWS EBS snapshot means that data which is backed up in that particular snapshot is accessible to all other AWS accounts. This means the other person can not only access and copy your data but can also create a volume out of it.

Fix - Runtime

AWS Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Go to the Amazon EC2 dashboard.
  3. In the navigation panel, go to Elastic Block Store and select Snapshots.
  4. Select an EBS snapshot that you want to make private.
  5. Go to the Permissions tab from the dashboard bottom panel and click the Edit button to update the access permissions for the selected volume snapshot.
  6. Navigate to the Modify Permissions dialog box, within This snapshot is currently section, select Private then click Save. The selected snapshot permissions status should change to "This snapshot is currently Private.".

CLI Command

To encrypt an existing snapshot you will need to run the modify-snapshot-attribute command using a snapshot ID as identifier.

Then, you will need to update the permissions for creating volumes from the selected snapshot and make it private (a command that does not produce an output).

aws ec2 modify-snapshot-attribute
    --region us-east-1
    --snapshot-id snap-0ee33391e721cfe2f
    --attribute createVolumePermission
    --operation-type remove
    --group-names all

Did this page help you?