DocumentDB Manual Cluster Snapshot Is Not Shared Publicly
Overview
This check verifies that your Amazon DocumentDB manual cluster snapshots are not publicly accessible. A public snapshot can be restored by any AWS account, potentially exposing your database contents to unauthorized parties.
Risk
When a DocumentDB snapshot is marked as public:
- Data exposure: Any AWS account can restore the snapshot and read your database contents
- Credential leakage: Embedded secrets, connection strings, or application data may be exposed
- Compliance violations: Public snapshots likely violate PCI-DSS, SOC 2, and other compliance frameworks
- No audit trail: You cannot track who accesses or restores public snapshots
This is rated as critical severity because it can lead to immediate, uncontrolled data exposure.
Remediation Steps
Prerequisites
You need permission to modify DocumentDB snapshot attributes. Specifically, your IAM user or role must have the rds:ModifyDBClusterSnapshotAttribute permission.
AWS Console Method
- Open the Amazon DocumentDB console
- In the left navigation, click Snapshots
- Select the Manual tab to view manual snapshots
- Click on the snapshot name that was flagged as public
- Click the Actions button, then select Share snapshot
- In the sharing settings, look for the visibility setting
- If "Public" is enabled or "all" appears in the account list, remove it:
- Set visibility to Private
- Remove "all" from the authorized accounts list
- Click Save to apply the changes
AWS CLI (optional)
Remove Public Access from a Snapshot
Run the following command to remove public access from a DocumentDB cluster snapshot:
aws docdb modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--attribute-name restore \
--values-to-remove all \
--region us-east-1
Replace <your-snapshot-id> with your actual snapshot identifier.
List All Public Snapshots
To find all public snapshots in your account:
aws docdb describe-db-cluster-snapshot-attributes \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--region us-east-1 \
--query 'DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[?AttributeName==`restore`].AttributeValues' \
--output text
If the output contains "all", the snapshot is public.
Share with Specific Accounts Instead
If you need to share the snapshot with specific AWS accounts (rather than publicly), use:
aws docdb modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--attribute-name restore \
--values-to-add 123456789012 987654321098 \
--region us-east-1
Replace the account IDs with the actual AWS account numbers that should have access.
CloudFormation (optional)
CloudFormation does not directly support managing snapshot sharing attributes. You have two options:
Option 1: Use a Custom Resource
Create a Lambda-backed custom resource to manage snapshot attributes:
AWSTemplateFormatVersion: '2010-09-09'
Description: Remove public access from DocumentDB snapshot
Parameters:
SnapshotIdentifier:
Type: String
Description: The DocumentDB cluster snapshot identifier
Resources:
SnapshotAttributeLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: DocDBSnapshotAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- rds:ModifyDBClusterSnapshotAttribute
- rds:DescribeDBClusterSnapshotAttributes
Resource: !Sub 'arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster-snapshot:${SnapshotIdentifier}'
RemovePublicAccessFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: python3.11
Handler: index.handler
Role: !GetAtt SnapshotAttributeLambdaRole.Arn
Timeout: 60
Code:
ZipFile: |
import boto3
import cfnresponse
def handler(event, context):
try:
if event['RequestType'] in ['Create', 'Update']:
snapshot_id = event['ResourceProperties']['SnapshotIdentifier']
client = boto3.client('docdb')
client.modify_db_cluster_snapshot_attribute(
DBClusterSnapshotIdentifier=snapshot_id,
AttributeName='restore',
ValuesToRemove=['all']
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})
RemovePublicAccess:
Type: Custom::RemovePublicAccess
Properties:
ServiceToken: !GetAtt RemovePublicAccessFunction.Arn
SnapshotIdentifier: !Ref SnapshotIdentifier
Option 2: Prevent Public Snapshots with SCP
Use a Service Control Policy to prevent snapshots from being made public in the first place:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventPublicDocDBSnapshots",
"Effect": "Deny",
"Action": "rds:ModifyDBClusterSnapshotAttribute",
"Resource": "*",
"Condition": {
"StringEquals": {
"rds:AddToAttribute": "all"
}
}
}
]
}
Terraform (optional)
Terraform does not have a native resource for managing DocumentDB snapshot attributes. Use the AWS CLI via a null_resource with a local-exec provisioner:
variable "snapshot_identifier" {
description = "The DocumentDB cluster snapshot identifier"
type = string
}
resource "null_resource" "remove_public_snapshot_access" {
triggers = {
snapshot_id = var.snapshot_identifier
}
provisioner "local-exec" {
command = <<-EOT
aws docdb modify-db-cluster-snapshot-attribute \
--db-cluster-snapshot-identifier ${var.snapshot_identifier} \
--attribute-name restore \
--values-to-remove all \
--region us-east-1
EOT
}
}
Preventive Control with IAM
Create an IAM policy that prevents users from making snapshots public:
resource "aws_iam_policy" "prevent_public_snapshots" {
name = "PreventPublicDocDBSnapshots"
description = "Prevents making DocumentDB snapshots public"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "PreventPublicDocDBSnapshots"
Effect = "Deny"
Action = "rds:ModifyDBClusterSnapshotAttribute"
Resource = "*"
Condition = {
StringEquals = {
"rds:AddToAttribute" = "all"
}
}
}
]
})
}
Verification
After remediation, verify that the snapshot is no longer public:
- In the DocumentDB console, go to Snapshots > Manual
- Click on the snapshot name
- Check that the Visibility shows Private (not Public)
- Confirm that "all" does not appear in the list of authorized accounts
CLI verification
aws docdb describe-db-cluster-snapshot-attributes \
--db-cluster-snapshot-identifier <your-snapshot-id> \
--region us-east-1 \
--query 'DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[?AttributeName==`restore`].AttributeValues' \
--output text
The output should either be empty or list only specific AWS account IDs. If it shows "all", the snapshot is still public.
Additional Resources
- Sharing Amazon DocumentDB Cluster Snapshots
- Amazon DocumentDB Security Best Practices
- AWS Foundational Security Best Practices - DocumentDB
Notes
- Encrypted snapshots cannot be made truly public: If your snapshot is encrypted with a customer-managed KMS key, other accounts must have access to that key to restore the snapshot. However, the "all" setting can still be applied, so it is best practice to remove it regardless.
- Automated snapshots cannot be shared: This check only applies to manual snapshots. Automated snapshots created by DocumentDB are private by default and cannot be shared directly.
- Consider encryption: For sensitive data, always encrypt your DocumentDB clusters and snapshots using AWS KMS. This adds an additional layer of access control.
- Implement preventive controls: Use Service Control Policies (SCPs) or IAM policies to prevent snapshots from being made public in the first place.