AWS RDS cluster snapshots should not be visible to public


You should take some security measures related to your AWS RDS cluster snapshots to ensure that your data stored in RDS clusters is not under any security risk.

Why AWS RDS cluster snapshots should not be in public?

As discussed earlier, a database (DB) cluster consists of one more relational databases.

RDS cluster snapshot takes the backup of the entire database cluster instead of backing up just the single database. It is recommended that your RDS cluster snapshots should not be public. In other words, this is to prevent potential leak or misuse of sensitive data. Above all, keeping your snapshots private is your first step towards “shared responsibility” for your cloud.

If your RDS snapshot is public, then the data which is backed up in that snapshot is accessible to all other AWS accounts. Other AWS users can not only access and copy your data but can also create a new volume out of it.

Centilytics help you maintain the privacy of your RDS clusters

Centilytics lists down all your RDS cluster public snapshots in your cloud infrastructure. This allows you to identify the snapshots that need to be made private. As a result, you can keep your RDS clusters secure and protect sensitive data.

Insight descriptions:

There can be 2 possible scenarios:

Severity Description
OK If RDS cluster snapshot is private and cannot be accessed by any other AWS account without permission, then there will be a green indication corresponding to that snapshot.
CRITICAL If a snapshot is marked public and can be accessed by other AWS accounts, then there will be a red indication corresponding to that snapshot.


Description of further columns are as follows:

1.Account Id: This column shows the respective account ID of the user’s account.AWS RDS 3

  1. Account Name: This column shows the corresponding account name to the user’s account.AWS RDS 9
  2. Region: This column shows the region in which the corresponding snapshot exists.AWS RDS 6
  3. DB cluster snapshot: This column shows the name of the cluster snapshot.AWS RDS 355
  4. DB instance identifier: This column shows the name of the database instance.AWS RDS 7
  5. Identifier: This column shows the unique ARN or the Amazon Resource Number of your instance. ARN is defined as a unique file naming convention which is used to identify and differentiate between multiple resources across AWS.AWS RDS 4

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying the region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type. Therefore, selecting critical will display all resources with critical severity. Similarly, if you select Warning and Ok severity types, you will get resources accordingly.
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources with the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).

Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.


Compliances covered:

Compliance Name Reference No. Link
Trusted Advisor


In conclusion, not your databases and data need to be secure, keeping your backups safe and private is equally important.

Read more about sharing a DB cluster snapshot here.


Please enter your comment!
Please enter your name here