AWS RDS public snapshots – A major threat to your cloud security

AWS RDS Public Snapshots - Cloud Security

Cloud security is one of the most crucial aspects of cloud computing. Organizations want their cloud infrastructure to attain maximum security which will allow them to deploy their data, resources and focus on their business rather than getting worried about security threats. RDS is the relational database service provided by AWS and it is the need of the hour to make sure that your database is safe from any kind of potential security attack.

What is AWS RDS snapshot?

Amazon RDS (Relational Database Service) provides various utilities to their users. One of them is the provision of creating multiple snapshots of your relational database. Snapshots are basically the backup of your instances created and stored in AWS S3 for the recovery purpose of the data. RDS creates a storage volume snapshot of your DB instance and backs up the entire DB instance instead of taking backup of just individual databases.

Why are public RDS snapshots a major threat to your cloud security?

It is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat.

If your RDS snapshot is public, then the data which is backed up in that snapshot is accessible to all other AWS accounts. Other AWS users can not only access and copy your data but can also create a volume out of it. There might be a situation where you can have numerous snapshots created in your cloud infrastructure and you might be unaware of any public snapshot which may contain any sensitive information which is not supposed to be shared.

Centilytics comes into the picture

Centilytics lists down all your RDS public snapshots in your cloud infrastructure and allows the user to analyze and act against them from the AWS console.

Insight descriptions:

There can be 2 possible scenarios:

Severity Description
 OK If RDS snapshot is private and cannot be accessed by any other AWS account without permission, then there will be a green indication corresponding to that RDS snapshot.
AWS EBS PUBLIC SNAPSHOTCRITICAL If a snapshot is marked public and can be accessed by other AWS accounts, then there will be a red indication corresponding to that RDS snapshot.

 

Description of further columns are as follows:

1.Account Id: Shows the respective account ID of user’s account.AWS RDS public snapshots-SS1

  1. Account Name: Shows corresponding account name to the user’s account.AWS RDS public snapshots-SS2
  2. Region: Shows the region in which the corresponding snapshot exists.AWS RDS public snapshots-SS4
  3. DB Snapshot Identifier: Shows the corresponding name of the snapshot.AWS RDS public snapshots-SS6
  4. DB Instance Identifier: Shows the corresponding database instance name.AWS RDS public snapshots-SS3
  5. Identifier: This column shows the unique ARN or Amazon Resource Name corresponding to the resource. ARN is defined as a unique file naming convention which is used to identify and differentiate between multiple resources across AWS.AWS RDS public snapshots-SS5

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying the region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and OK severity types
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

 

Compliances covered:

Compliance Name Reference No. Link
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security

 

Read More:

[1] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

[2] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html

LEAVE A REPLY

Please enter your comment!
Please enter your name here