Skip to main content

๐Ÿ›ก๏ธ AWS RDS Snapshot is publicly accessible๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Snapshot is publicly accessible๐ŸŸข
  • ID: /ce/ca/aws/rds/snapshot-publicly-accessible
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-b33429051

Descriptionโ€‹

Open File

Descriptionโ€‹

Ensure that your AWS Relational Database Service (RDS) database snapshots are not publicly accessible (i.e., shared with all AWS accounts and users) to protect your private data.

Rationaleโ€‹

RDS snapshots contain both the data and configurations of your database instances. If these snapshots are publicly accessible, unauthorized users can access sensitive information, leading to data breaches and other security issues. Keeping RDS snapshots private helps maintain the confidentiality and integrity of your data.

Publicly sharing an AWS RDS database snapshot grants another AWS account permission to copy the snapshot and create database instances from it. It is strongly recommended not to share your database snapshots with all AWS accounts. If necessary, you can share your RDS snapshots with specific AWS accounts without making them public.

Auditโ€‹

This policy marks an AWS RDS snapshot as INCOMPLIANT if the snapshot type is public or if the snapshot's restore attribute is set to all.

An AWS RDS snapshot is marked as INAPPLICABLE when:

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Case A: Make a snapshot private (accessible only by a current AWS Account)โ€‹

From Consoleโ€‹
  • Log in to the AWS management console and navigate to the RDS dashboard at https://console.aws.amazon.com/rds/.
  • In the left navigation panel, click on Snapshots.
  • Select Manual Snapshots from the Filter dropdown menu to display only manual database snapshots.
  • Select the RDS snapshot that you want to make private.
  • Click Snapshot Actions button from the dashboard top menu and select Share Snapshot option.
  • On the Manage Snapshot Permissions page, select Private next to DB Snapshot Visibility to make the selected snapshot accessible only from the current AWS account. Click Save to apply the changes.
  • Repeat steps no. 5 โ€“ 7 to restrict public access to other RDS database snapshots created within the current region.
  • Change the AWS region from the navigation bar and repeat the audit process for other regions.
From Command Lineโ€‹
  • Run modify-db-snapshot-attribute command (OSX/Linux/UNIX) using the snapshot name as --db-snapshot-identifier to remove the permissions for restoring database instances from the selected snapshot and make it private:

... see more

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ AWS Foundational Security Best Practices v1.0.0 โ†’ ๐Ÿ’ผ [RDS.1] RDS snapshot should be private11no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Public and Anonymous Access114no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)3782no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)237101no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1160no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-6 Least Privilege (M)(H)81174no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-21 Information Sharing (M)(H)18no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SA-9(5) Processing, Storage, and Service Location (M)(H)1no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)10879no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(3) Access Points (M)(H)18no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)46no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(20) Dynamic Isolation and Segregation (H)18no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(21) Isolation of System Components (H)35no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)82no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)47no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-3 Access Enforcement (L)(M)(H)82no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)185no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)60no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-6 Least Privilege (M)(H)674no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-21 Information Sharing (M)(H)18no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SA-9(5) Processing, Storage, and Service Location (M)(H)1no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)765no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(3) Access Points (M)(H)18no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)46no data
๐Ÿ’ผ GDPR โ†’ ๐Ÿ’ผ Art. 25 Data protection by design and by default1010no data
๐Ÿ’ผ GDPR โ†’ ๐Ÿ’ผ Art. 46 Transfers subject to appropriate safeguards22no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.4.1 Information access restriction1920no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented4791no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events170no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events170no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained86no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties131no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected180no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected156no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected176no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage119no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-3 Access Enforcement15557no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-3(7) Access Enforcement _ Role-based Access Control29no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement3269116no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3760no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-6 Least Privilege102367no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-21 Information Sharing218no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SA-9(5) External System Services _ Processing, Storage, and Service Location11no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7 Boundary Protection29486no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(3) Boundary Protection _ Access Points18no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(4) Boundary Protection _ External Telecommunications Services46no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic29no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic35no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(16) Boundary Protection _ Prevent Discovery of System Components36no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation18no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(21) Boundary Protection _ Isolation of System Components35no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1 Establish and implement firewall and router configuration standards7139no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1063no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7841no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.627no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.27no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.14no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.5 Permit only โ€œestablishedโ€ connections into the network.27no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.14no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 7.2.1 Coverage of all system components.11no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.63no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.63no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.19no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.14no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.763no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.63no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.719no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.727no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.14no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-6 Manages Points of Access57no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.6-1 Restricts Access1619no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet3638no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 2.1.5 Ensure users are authenticated before allowing them access to organizational data or services44no data