Rule: EBS snapshots should not be publicly restorable
This rule ensures that EBS snapshots are not publicly restorable for security reasons.
| Rule | EBS snapshots should not be publicly restorable |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule: EBS Snapshots Should Not Be Publicly Restorable for FedRAMP Low Revision 4
Description
FedRAMP (Federal Risk and Authorization Management Program) Low Impact Level requirements stipulate that security controls are in place for federal information systems. For Amazon Web Services (AWS) Elastic Block Store (EBS) snapshots, making them publicly available can pose a security threat as unauthorized users could potentially access sensitive data.
Under this rule, organizations are required to ensure that EBS snapshots are not publicly restorable. Snapshots should only be shared with authorized accounts or kept private to prevent data breaches.
Troubleshooting Steps
If a snapshot is found to be publicly accessible, follow these steps to remedy the situation:
Step 1: Identify Public Snapshots
To find publicly available snapshots using the AWS Management Console:
- 1.Go to the Amazon EC2 console.
- 2.In the navigation pane, under
, clickElastic Block Store
.Snapshots - 3.In the filter menu, search for
.Public Snapshots - 4.Review the list of snapshots that are publicly available.
Step 2: Change Snapshot Permissions
To modify the permissions of a public snapshot:
- 1.Select the snapshot to change.
- 2.Click
thenActions
.Modify Permissions - 3.In the Modify Permissions dialog, select
and remove any public access.Private - 4.If necessary, add specific AWS account numbers that need access to this snapshot.
- 5.Click
.Save
Step 3: Automate Remediation with AWS CLI
The following CLI command can be used to change the permissions of a snapshot to private:
aws ec2 modify-snapshot-attribute \ --snapshot-id snap-1234567890abcdef0 \ --attribute createVolumePermission \ --operation-type remove \ --group-names all \ --region <your-region>
Replace
snap-1234567890abcdef0<your-region>Remediation Guide
- 1.
Review Account IAM Policies: Audit your IAM policies to ensure least privilege access is being adhered to. Users should not have permissions to make snapshots public unless absolutely necessary.
- 2.
Snapshot Lifecycle Policies: Implement lifecycle policies that define the creation, retention, and deletion of snapshots to manage them effectively.
- 3.
Regular Audits:
- Perform regular audits on your EBS snapshots using AWS Config or a similar tool to ensure compliance.
- Use AWS Trusted Advisor for best practices recommendations and adherence to security guidelines like FedRAMP.
- 4.
Enable CloudTrail Logging:
- Ensure that AWS CloudTrail logging is enabled for all API calls, including
. This will help in tracking changes made to snapshots.ModifySnapshotAttribute
- 5.
Educate Users: Conduct training sessions for all users handling AWS services to make them aware of the security implications tied to EBS snapshots.
- 6.
Implement Monitoring and Alerts:
- Use AWS CloudWatch or third-party tools to set up alerts when a snapshot's permissions are changed.
- AWS CloudTrail can be integrated with Amazon CloudWatch Logs to create metric filters and alarms to monitor for and get notified about specific API calls.
By following these steps and ensuring continuous monitoring and education, organizations can maintain compliance with FedRAMP Low Revision 4's requirement regarding EBS snapshots. Remember to regularly review these practices as both technology and compliance regulations evolve.