Ensure Public Access to EBS Snapshots is Disabled

Overview

This check verifies that your AWS account has "Block Public Access" enabled for EBS snapshots with the block-all-sharing setting. EBS snapshots contain complete copies of your storage volumes and may include sensitive data such as application code, databases, configuration files, or encryption keys.

Risk

If block public access is not enabled, EBS snapshots can be shared publicly, exposing your data to anyone on the internet. This could lead to:

• Data leakage: Sensitive information (passwords, API keys, personal data) becomes accessible
• Unauthorized cloning: Attackers can create copies of your volumes for analysis
• Compliance violations: Public exposure of regulated data (PCI, HIPAA, etc.)

Even if you have not intentionally shared snapshots publicly, enabling this setting provides an account-level safeguard against accidental exposure.

Remediation Steps

Prerequisites

You need an AWS account with permissions to modify EC2 snapshot settings. The required IAM permission is ec2:EnableSnapshotBlockPublicAccess.

AWS Console Method

1. Sign in to the AWS Management Console
2. Select US East (N. Virginia) us-east-1 from the region selector in the top-right corner
3. Open the EC2 service
4. In the left navigation, scroll down and click Snapshots
5. Click the Settings dropdown (top-right of the snapshots list) and select Block public access for snapshots
6. Select Block all sharing
7. Click Save changes

Important: Repeat this process for each AWS region where you operate. Block public access is a regional setting.

AWS CLI (optional)

Enable block public access for EBS snapshots:

aws ec2 enable-snapshot-block-public-access \
    --state block-all-sharing \
    --region us-east-1

To enable this setting across all regions, run:

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    echo "Enabling block public access in $region..."
    aws ec2 enable-snapshot-block-public-access \
        --state block-all-sharing \
        --region "$region"
done

CloudFormation (optional)

Deploy this CloudFormation template to enable block public access:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable block public access for EBS snapshots

Resources:
  SnapshotBlockPublicAccess:
    Type: AWS::EC2::SnapshotBlockPublicAccess
    Properties:
      State: block-all-sharing

Deploy using the AWS CLI:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name ebs-snapshot-block-public-access \
    --region us-east-1

Note: Deploy this stack in each region where you want to enable the protection.

Terraform (optional)

Add this resource to your Terraform configuration:

resource "aws_ebs_snapshot_block_public_access" "block_public_access" {
  state = "block-all-sharing"
}

To apply across multiple regions, use a provider alias pattern:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  alias  = "us_east_1"
  region = "us-east-1"
}

provider "aws" {
  alias  = "us_west_2"
  region = "us-west-2"
}

resource "aws_ebs_snapshot_block_public_access" "us_east_1" {
  provider = aws.us_east_1
  state    = "block-all-sharing"
}

resource "aws_ebs_snapshot_block_public_access" "us_west_2" {
  provider = aws.us_west_2
  state    = "block-all-sharing"
}

Verification

After enabling block public access, verify the setting is active:

1. In the AWS Console, go to EC2 > Snapshots > Settings > Block public access for snapshots
2. Confirm that Block all sharing is selected

CLI verification

aws ec2 get-snapshot-block-public-access-state --region us-east-1

Expected output:

{
    "State": "block-all-sharing"
}

To verify across all regions:

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
    state=$(aws ec2 get-snapshot-block-public-access-state \
        --region "$region" \
        --query 'State' \
        --output text 2>/dev/null)
    echo "$region: $state"
done

Additional Resources

• AWS Documentation: Block Public Access for Snapshots
• AWS Documentation: Share an Amazon EBS Snapshot
• Prowler Check: ec2_ebs_snapshot_account_block_public_access

Notes

• Regional setting: Block public access must be enabled in each AWS region separately. Enabling it in one region does not affect other regions.
• Existing public snapshots: When you enable block-all-sharing, previously public snapshots are treated as private and become inaccessible publicly. However, their sharing attributes are not modified. If you later disable block public access, those snapshots will become publicly accessible again.
• SCP protection: Consider using AWS Organizations Service Control Policies (SCPs) to prevent users from disabling block public access or to enforce this setting across all accounts in your organization.