Control: 2.2.2 Ensure public access to EBS Snapshots is disabled
Description
To protect your data disable the public mode of EBS snapshots.
This protects your data so that it is not accessible to all AWS accounts preventing accidental access and leaks.
Remediation
Perform the following to set a snapshot to private:
From Console:
- Login to the EC2 console at https://console.aws.amazon.com/ec2/.
- In the left pane click
Snapshots. - Select the
snapshotthen click 'Actions, Modify Permissions`. - Click the radio button for
Private. - Click
Save. - Repeat for any additional Snapshots, Regions and AWS accounts.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_2_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_2_2 --shareSQL
This control uses a named query:
select 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id as resource, case when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then 'alarm' else 'ok' end as status, case when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then title || ' is publicly restorable.' else title || ' is not publicly restorable.' end as reason , region, account_idfrom aws_ebs_snapshot;