Skip to main content

Amazon EBS snapshots should not be public

Severity: Critical

Resource Types: AWS::EBS::Snapshot

Description: This control checks whether Amazon Elastic Block Store snapshots are not public. The control fails if Amazon EBS snapshots are restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional.

Remediation: To make a public EBS snapshot private Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. In the navigation pane, under Elastic Block Store, choose Snapshots menu and then choose your public snapshot. From Actions, choose Modify permissions. Choose Private. (Optional) Add the AWS account numbers of the authorized accounts to share your snapshot with and choose Add Permission. Choose Save.