Skip to main content

๐Ÿ›ก๏ธ AWS EBS Snapshot is publicly accessible๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ EBS Snapshot is publicly accessible๐ŸŸข
  • ID: /ce/ca/aws/ec2/ebs-snapshot-public
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Descriptionโ€‹

Open File

Descriptionโ€‹

Ensure that AWS EBS snapshots are not publicly accessible. By default, EBS snapshots are private and should remain so unless there is a specific, justified use case for sharing. Public access to snapshots is generally considered a security risk and is rarely appropriate.

Rationaleโ€‹

When an EBS snapshot is marked as public, it becomes accessible to all AWS accounts, allowing any user to create volumes based on its data. If the snapshot contains confidential or sensitive information, this misconfiguration can result in unintended data exposure and potentially severe security breaches. In most cases, publicly sharing a snapshot is accidental or the result of a misunderstanding of the implications.

Auditโ€‹

This policy flags an AWS EBS Snapshot as INCOMPLIANT if the Public Accessible field is set to Yes.

Remediationโ€‹

Open File

Remediationโ€‹

From Command Lineโ€‹

To revoke public access to an EBS snapshot, run the following command:

aws ec2 modify-snapshot-attribute \
    --snapshot-id {{snapshot-id}} \
    --attribute createVolumePermission \
    --operation-type remove \
    --group-names all

If you need to share the snapshot with specific AWS accounts (instead of making it public), you can grant access to individual account IDs using:

aws ec2 modify-snapshot-attribute \
    --snapshot-id {{snapshot-id}} \
    --attribute createVolumePermission \
    --operation-type add \
    --user-ids {{user-id-1}} {{user-id-2}}

Replace {{user-id-1}} and {{user-id-2}} with the appropriate AWS account IDs.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ AWS Foundational Security Best Practices v1.0.0 โ†’ ๐Ÿ’ผ [EC2.1] Amazon EBS snapshots should not be publicly restorable1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Public and Anonymous Access116no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)3784no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)237105no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1163no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6 Least Privilege (M)(H)81179no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-21 Information Sharing (M)(H)19no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)10884no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(3) Access Points (M)(H)19no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)49no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(20) Dynamic Isolation and Segregation (H)20no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(21) Isolation of System Components (H)37no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)84no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)49no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)84no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)189no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)63no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6 Least Privilege (M)(H)679no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-21 Information Sharing (M)(H)19no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)768no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(3) Access Points (M)(H)19no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)49no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-3 Access Enforcement15559no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-3(7) Access Enforcement _ Role-based Access Control31no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement3269123no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3763no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6 Least Privilege102372no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-21 Information Sharing219no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7 Boundary Protection29493no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(3) Boundary Protection _ Access Points19no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(4) Boundary Protection _ External Telecommunications Services49no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic34no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic37no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(16) Boundary Protection _ Prevent Discovery of System Components37no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation20no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(21) Boundary Protection _ Isolation of System Components37no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1065no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.628no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.28no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.15no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.5 Permit only โ€œestablishedโ€ connections into the network.28no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 7.2.1 Coverage of all system components.11no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.65no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.65no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.28no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.765no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.65no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.728no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data