Amazon EBS Snapshots Should Not Be Publicly Restorable Rule
This rule states that Amazon EBS snapshots should not be publicly restorable for PCI Compliance in EC2 environment.
| Rule | Amazon EBS snapshots should not be publicly restorable |
| Framework | PCI v3.2.1 |
| Severity | ✔ Critical |
Rule Description
To comply with PCI v3 requirements, Amazon EBS snapshots should not be publicly restorable. This means that only authorized users and accounts should have the ability to restore EBS snapshots.
Reason for the Rule
The rule is implemented to ensure the security and confidentiality of sensitive data stored in Amazon EBS snapshots. Publicly restorable snapshots pose a significant risk as they can be easily accessed and restored by unauthorized individuals or entities.
Troubleshooting Steps
If EBS snapshots are found to be publicly restorable, follow the troubleshooting steps below to address the issue:
- 1.
Identify the publicly restorable snapshots:
- Use the AWS Management Console, AWS CLI, or AWS SDKs to list all EBS snapshots within your account.
- 2.
Determine the affected snapshots:
- Identify the snapshots that have the "Public" attribute set to true.
- 3.
Ensure secure access to EBS snapshots:
- Review the IAM policies and permissions to ensure that only authorized users and accounts have the ability to restore snapshots.
- Verify that the block-level permissions for the snapshots are configured correctly.
- 4.
Update snapshot permissions:
- Modify the permissions for the affected snapshots to restrict public access.
Necessary Codes
The following AWS CLI command can be used to modify the permissions of an EBS snapshot:
aws ec2 modify-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission --group-names <group-name> --operation-type add
- Replace
with the ID of the EBS snapshot that needs to be modified.<snapshot-id> - Replace
with the appropriate group name or AWS account ID to grant access.<group-name>
Step-by-Step Guide for Remediation
Follow the step-by-step guide below to remediate the issue of publicly restorable Amazon EBS snapshots:
- 1.
Log in to your AWS Management Console.
- 2.
Navigate to the EC2 Dashboard.
- 3.
Choose "Snapshots" from the left-hand menu.
- 4.
Identify the snapshots that are publicly restorable:
- Look for the "Public" attribute in the snapshot list. If any snapshots have this attribute set to true, they are publicly restorable.
- 5.
Update the snapshot permissions:
- Select the publicly restorable snapshot(s) by checking the corresponding checkbox(es).
- Click on the "Actions" button at the top of the snapshot list.
- Choose "Modify Permissions" from the dropdown menu.
- 6.
Modify the permissions for the snapshot(s):
- In the "Modify Permissions" dialog box, select "Private" or "AWS Account" to restrict access to the snapshot.
- Enter the appropriate AWS account ID or group name for authorized access.
- Click on the "Add Permission" button.
- 7.
Verify the changes:
- Confirm that the "Public" attribute for the affected snapshot(s) has been set to false.
- 8.
Repeat the process for any other publicly restorable EBS snapshots identified in step 4.
By following these steps, you can ensure that your Amazon EBS snapshots are not publicly restorable, thereby complying with PCI v3 requirements.