Why AWS EBS snapshot should not be public?

AWS EBS public snapshots

Most organizations have security as a primary concern for their cloud environment. Users want to make sure that their cloud infrastructure is secure enough so that they deploy their maximum resources on the cloud without worrying about its safety. Centilytics ensures that your cloud infrastructure attains maximum security and recommends some practices related to your EBS snapshots in order to help you achieve maximum security for your data stored in EBS volumes.

What is an EBS snapshot?

EBS is a block storage service provided by AWS which is used to store persistent data. Amazon EBS is suitable for EC2 instances by providing block-level storage volumes. There are mainly three varieties of volumes  General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic which differ in performance, characteristics, and cost. AWS gives the provision of creating multiple snapshots of these volumes. A Snapshot is basically an incremental backup created for the data stored in EBS volumes

How do EBS snapshots work?

EBS snapshots are stored in AWS S3 buckets. Only unique blocks of EBS volume data that has changed since the last stored EBS snapshot are saved in the next EBS snapshot.

Why public EBS snapshots are a major threat to your cloud security?

It is recommended that the EBS snapshots should not be public. Public EBS snapshot means that data which is backed up in that particular snapshot is accessible to all other AWS accounts. This means the other person can not only access and copy your data but can also create a volume out of it. This can lead to misuse of your sensitive data. There might be a situation where you can have numerous snapshots created in your cloud infrastructure and you might not be aware of any public snapshot which may contain any sensitive information which is not supposed to be shared.

Centilytics comes into play

This is where our cloud management platform comes to your rescue. Centilytics lists down all the public snapshots available in your cloud infrastructure, allowing you to analyze and act against them from your AWS console.

Insight descriptions

Severity Description
CRITICAL If a snapshot is marked public then it will be displayed in this insight.

Description of further columns are as follows:

  1. Account Id: Shows the respective account ID of user’s account.

    AWS EBS PUBLIC SNAPSHOT
    Account Id
  2. Account Name: Shows corresponding account name to the user’s account.

    AWS EBS PUBLIC SNAPSHOT
    Account Name
  3. Region: Shows the region in which the corresponding snapshot exists.

    AWS EBS PUBLIC SNAPSHOT
    Region
  4. Identifier: Shows the unique snapshot Id of the snapshot.

    AWS EBS PUBLIC SNAPSHOT
    Identifier
  5. Description: Shows the description of the snapshot given by the user.

    AWS EBS PUBLIC SNAPSHOT
    Description

Compliances covered

Compliance Name Reference No. Link
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security

 

Filters applicable-

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For eg- If the user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For eg- If a user has tagged some resource by a tag named as “environment” and has given it a value say, “production” (key:value pair = environment: production). Then the user will be able to view data of all the resources which are tagged as the environment:production. The user can use the tag value filter only when a tag name has been provided.

 

Read More:

[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

[2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html