📝 AWS EBS Snapshot is publicly accessible 🟢

• Contextual name: 📝 EBS Snapshot is publicly accessible 🟢
• ID: /ce/ca/aws/ec2/ebs-snapshot-public
• Located in: 📁 AWS EC2

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• AWS Security Hub
  • [[EC2.1] Amazon EBS snapshots should not be publicly restorable]([EC2.1] Amazon EBS snapshots should not be publicly restorable (https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-1)]

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 AWS EBS Snapshot
  • 🔌 AWS EBS Snapshot - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that AWS EBS snapshots are not publicly accessible. By default, EBS snapshots are private and should remain so unless there is a specific, justified use case for sharing. Public access to snapshots is generally considered a security risk and is rarely appropriate.

Rational

When an EBS snapshot is marked as public, it becomes accessible to all AWS accounts, allowing any user to create volumes based on its data. If the snapshot contains confidential or sensitive information, this misconfiguration can result in unintended data exposure and potentially severe security breaches. In most cases, publicly sharing a snapshot is accidental or the result of a misunderstanding of the implications.

Audit

This policy flags an AWS EBS Snapshot as INCOMPLIANT if the Public Accessible field is set to Yes.

Remediation

Open File

Remediation

From Command Line

To revoke public access to an EBS snapshot, run the following command:

aws ec2 modify-snapshot-attribute \
    --snapshot-id {{snapshot-id}} \
    --attribute createVolumePermission \
    --operation-type remove \
    --group-names all

If you need to share the snapshot with specific AWS accounts (instead of making it public), you can grant access to individual account IDs using:

aws ec2 modify-snapshot-attribute \
    --snapshot-id {{snapshot-id}} \
    --attribute createVolumePermission \
    --operation-type add \
    --user-ids {{123456789012}} {{111122223333}}

Replace {{user-ids}} with the appropriate AWS account IDs.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.1] Amazon EBS snapshots should not be publicly restorable			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			79
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	67
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	36	79
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	46
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	56
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			8
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	48
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			8
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			28
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			8
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			22
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			67
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			33
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			67
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		64
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			46
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		56
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			8
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		42
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			8
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			28
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			118
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			137
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			48
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			91
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			117
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			97
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			111
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			69
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	37
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			14
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	68	89
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	46
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	49
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		8
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	50
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			8
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			28
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			14
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			22
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			23
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			8
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			22
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	35
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	19
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			19
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			6
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			19
💼 PCI DSS v3.2.1 → 💼 7.2.1 Coverage of all system components.			7
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			35
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			35
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			19
💼 PCI DSS v4.0.1 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			7
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	35
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			35
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		7	19
💼 PCI DSS v4.0 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			7