EBS Snapshot is Not Public

Overview

This check identifies Amazon EBS snapshots that have public sharing permissions, making them accessible to all AWS accounts. EBS snapshots are point-in-time copies of your EC2 volumes and may contain sensitive data such as application code, configuration files, database contents, or credentials.

When a snapshot is public, anyone with an AWS account can discover it, create a volume from it, and access all the data it contains. Snapshots should always be kept private unless there is a specific, documented need to share them publicly.

Risk

Public EBS snapshots pose a critical security risk:

• Data exposure: Anyone can copy your snapshot and access all files, secrets, database contents, or application data stored in the volume
• Credential theft: Snapshots may contain API keys, passwords, certificates, or other secrets that attackers can harvest
• Reconnaissance: Attackers can study your application architecture, configurations, and vulnerabilities by examining snapshot contents
• Compliance violations: Public snapshots likely violate data protection regulations (GDPR, HIPAA, PCI-DSS, SOC 2)
• Lateral movement: Exposed data could help attackers move deeper into your environment or pivot to other systems

This is a Critical severity finding. Any public snapshot should be investigated and remediated immediately.

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to modify EC2 snapshots
• Knowledge of which snapshots are flagged as public (from the Prowler report)

Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

• ec2:DescribeSnapshots
• ec2:DescribeSnapshotAttribute
• ec2:ModifySnapshotAttribute
• ec2:EnableSnapshotBlockPublicAccess (for account-level protection)
• ec2:GetSnapshotBlockPublicAccessState

AWS Console Method

Step 1: Find and Fix Public Snapshots

1. Go to the EC2 Console in us-east-1
2. Click Snapshots in the left sidebar under "Elastic Block Store"
3. Select the snapshot identified in the Prowler report
4. Click Actions > Modify permissions
5. Under "Snapshot availability", select Private
6. If the snapshot was shared with specific accounts that should retain access, add those account IDs in the "Shared accounts" section
7. Click Save changes
8. Repeat for any other public snapshots identified

Step 2: Enable Account-Level Protection (Recommended)

To prevent snapshots from being made public in the future:

1. Go to the EC2 Console in us-east-1
2. Click EC2 Dashboard in the left sidebar
3. Scroll down to "Account attributes" and click Data protection and security
4. Under "Block public access for EBS snapshots", click Manage
5. Select Block all public access (recommended) or Block new public sharing
6. Click Update

Important: If you select "Block all public access", any currently public snapshots will automatically become private.

AWS CLI (optional)

Find Public Snapshots

List all snapshots you own that are public:

aws ec2 describe-snapshots \
    --owner-ids self \
    --restorable-by-user-ids all \
    --region us-east-1 \
    --query 'Snapshots[*].{ID:SnapshotId,VolumeId:VolumeId,Size:VolumeSize,Description:Description}' \
    --output table

Check Permissions on a Specific Snapshot

aws ec2 describe-snapshot-attribute \
    --snapshot-id <snapshot-id> \
    --attribute createVolumePermission \
    --region us-east-1

If the output includes "Group": "all", the snapshot is public.

Remove Public Access from a Snapshot

aws ec2 modify-snapshot-attribute \
    --snapshot-id <snapshot-id> \
    --attribute createVolumePermission \
    --operation-type remove \
    --group-names all \
    --region us-east-1

Enable Account-Level Block Public Access

Block all public sharing (makes existing public snapshots private):

aws ec2 enable-snapshot-block-public-access \
    --state block-all-sharing \
    --region us-east-1

Or block only new public sharing (existing public snapshots remain public):

aws ec2 enable-snapshot-block-public-access \
    --state block-new-sharing \
    --region us-east-1

Remediate All Public Snapshots in a Region

# List and remove public access from all public snapshots
for snapshot_id in $(aws ec2 describe-snapshots \
    --owner-ids self \
    --restorable-by-user-ids all \
    --region us-east-1 \
    --query 'Snapshots[*].SnapshotId' \
    --output text); do
    echo "Removing public access from: $snapshot_id"
    aws ec2 modify-snapshot-attribute \
        --snapshot-id "$snapshot_id" \
        --attribute createVolumePermission \
        --operation-type remove \
        --group-names all \
        --region us-east-1
done

CloudFormation (optional)

CloudFormation does not directly support modifying snapshot permissions or enabling account-level block public access settings. However, you can use CloudFormation custom resources with Lambda to automate these settings.

For new snapshots created via CloudFormation, they are private by default. The issue typically occurs when snapshots are manually made public.

Best practice: Use AWS Config rules or Service Control Policies (SCPs) to prevent and detect public snapshots. See the Additional Resources section for more information.

Terraform (optional)

Make a Snapshot Private

If you manage snapshots with Terraform, ensure the create_volume_permission is not set to allow public access:

resource "aws_ebs_snapshot" "example" {
  volume_id   = aws_ebs_volume.example.id
  description = "My private EBS snapshot"

  tags = {
    Name = "my-snapshot"
  }
}

# Do NOT include a aws_snapshot_create_volume_permission resource
# with group = "all" - that would make it public

Enable Account-Level Block Public Access

resource "aws_ebs_snapshot_block_public_access" "example" {
  state = "block-all-sharing"
}

Note: The aws_ebs_snapshot_block_public_access resource requires AWS provider version 5.0.0 or later. This is a regional setting, so you need to apply it in each region you use.

Remove Public Access from an Existing Snapshot

If a snapshot was previously made public, you cannot directly remove the permission with Terraform's standard resources. Use the AWS CLI or console to remediate, or use a null_resource with a local-exec provisioner:

resource "null_resource" "remove_public_access" {
  provisioner "local-exec" {
    command = <<-EOT
      aws ec2 modify-snapshot-attribute \
        --snapshot-id ${var.snapshot_id} \
        --attribute createVolumePermission \
        --operation-type remove \
        --group-names all \
        --region us-east-1
    EOT
  }
}

Verification

After remediation, verify the snapshots are no longer public:

1. Check individual snapshots:

   • Go to EC2 Console > Snapshots
   • Select the snapshot and click the Permissions tab
   • Confirm it shows "Private" and not "Public"

2. Verify account-level protection:

   • Go to EC2 Dashboard > Data protection and security
   • Confirm "Block public access for EBS snapshots" shows "Block all public access" or "Block new public sharing"

3. Re-run Prowler:

   • Run the specific check again to confirm remediation:

   prowler aws --check ec2_ebs_public_snapshot

CLI verification commands

Check if a specific snapshot is still public:

aws ec2 describe-snapshot-attribute \
    --snapshot-id <snapshot-id> \
    --attribute createVolumePermission \
    --region us-east-1

Expected output for a private snapshot (no Group entry):

{
    "SnapshotId": "snap-0123456789abcdef0",
    "CreateVolumePermissions": []
}

Check if any of your snapshots are still public:

aws ec2 describe-snapshots \
    --owner-ids self \
    --restorable-by-user-ids all \
    --region us-east-1 \
    --query 'Snapshots[*].SnapshotId' \
    --output text

Expected output: Empty (no snapshot IDs returned)

Check account-level block public access state:

aws ec2 get-snapshot-block-public-access-state \
    --region us-east-1

Expected output:

{
    "State": "block-all-sharing"
}

Additional Resources

• AWS Documentation: Share an Amazon EBS snapshot
• AWS Documentation: Block public access for EBS snapshots
• AWS Blog: Block public sharing of Amazon EBS snapshots
• AWS Config Rule: ebs-snapshot-public-restorable-check
• CIS AWS Foundations Benchmark

Notes

• Investigate before remediating: Before making a public snapshot private, determine why it was public. Was it intentional? Was data compromised? Consider this a potential security incident.

• Encrypted snapshots cannot be public: Snapshots encrypted with AWS KMS keys cannot be made public. Consider encrypting all EBS volumes as a defense-in-depth measure.

• Regional setting: The "Block public access for EBS snapshots" setting is per-region. Enable it in all regions you use, including regions where you do not have active workloads (to prevent accidental exposure).

• Sharing vs. public: Making a snapshot private does not prevent sharing with specific AWS accounts. You can still share snapshots with trusted accounts or within your AWS Organization.

• Check all regions: Snapshots exist in specific regions. Ensure you check and remediate public snapshots in all AWS regions, not just your primary region.

• AWS Organizations: If you use AWS Organizations, consider implementing a Service Control Policy (SCP) that prevents making snapshots public across all member accounts.

• Audit trail: Use AWS CloudTrail to identify who made the snapshot public and when, by searching for ModifySnapshotAttribute events where createVolumePermission was changed to include group: all.