RDS Snapshot is Not Publicly Shared

Overview

This check identifies Amazon RDS database snapshots (both DB snapshots and DB cluster snapshots) that are publicly accessible. A public snapshot can be copied or restored by any AWS account, not just your own.

Snapshots should be kept private or shared only with specific, trusted AWS accounts.

Risk

Public RDS snapshots expose your database contents to the entire world. This can lead to:

• Data theft: Sensitive information (customer data, credentials, business secrets) can be accessed by anyone.
• Credential harvesting: Attackers can extract passwords and API keys stored in the database.
• Offline attacks: Bad actors can crack password hashes or analyze your schema without triggering any alerts in your account.

Even if you think your snapshot contains nothing sensitive, it may include configuration data, user tables, or logs that reveal internal details about your environment.

Remediation Steps

Prerequisites

• AWS Console access with permissions to modify RDS snapshots
• The snapshot identifier(s) you need to fix

Optional: AWS CLI setup

If you prefer using the command line, ensure you have:

• AWS CLI installed and configured
• IAM permissions for rds:ModifyDBSnapshotAttribute and rds:ModifyDBClusterSnapshotAttribute

AWS Console Method

1. Open the Amazon RDS console at https://console.aws.amazon.com/rds/
2. In the left navigation pane, choose Snapshots
3. Look for snapshots marked as Public in the visibility column
4. Select the public snapshot you want to fix
5. Choose Actions > Share snapshot
6. Under DB snapshot visibility, select Private
7. Remove all from the list of authorized accounts (if present)
8. Choose Save

Repeat for each public snapshot, including cluster snapshots if you use Aurora.

AWS CLI (optional)

For a standard DB snapshot:

aws rds modify-db-snapshot-attribute \
  --db-snapshot-identifier <your-snapshot-id> \
  --attribute-name restore \
  --values-to-remove all \
  --region us-east-1

For an Aurora DB cluster snapshot:

aws rds modify-db-cluster-snapshot-attribute \
  --db-cluster-snapshot-identifier <your-cluster-snapshot-id> \
  --attribute-name restore \
  --values-to-remove all \
  --region us-east-1

Replace <your-snapshot-id> or <your-cluster-snapshot-id> with your actual snapshot identifier.

To find all public snapshots in your account:

# List public DB snapshots
aws rds describe-db-snapshots \
  --snapshot-type manual \
  --include-public \
  --region us-east-1 \
  --query 'DBSnapshots[?PubliclyAccessible==`true`].DBSnapshotIdentifier'

# List public cluster snapshots
aws rds describe-db-cluster-snapshots \
  --snapshot-type manual \
  --include-public \
  --region us-east-1 \
  --query 'DBClusterSnapshots[].DBClusterSnapshotIdentifier'

CloudFormation (optional)

CloudFormation cannot directly modify snapshot sharing attributes. However, you can use AWS Config to detect public snapshots and alert on non-compliance.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS Config rule to detect public RDS snapshots'

Resources:
  RDSSnapshotPublicAccessRule:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: rds-snapshots-public-prohibited
      Description: Checks if RDS DB snapshots are public
      Source:
        Owner: AWS
        SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
      Scope:
        ComplianceResourceTypes:
          - AWS::RDS::DBSnapshot
          - AWS::RDS::DBClusterSnapshot

This rule will flag any public snapshots as non-compliant, allowing you to take action.

Terraform (optional)

Like CloudFormation, Terraform cannot directly modify snapshot sharing. Use AWS Config to detect public snapshots:

resource "aws_config_config_rule" "rds_snapshots_public_prohibited" {
  name        = "rds-snapshots-public-prohibited"
  description = "Checks if RDS DB snapshots are public"

  source {
    owner             = "AWS"
    source_identifier = "RDS_SNAPSHOTS_PUBLIC_PROHIBITED"
  }

  scope {
    compliance_resource_types = [
      "AWS::RDS::DBSnapshot",
      "AWS::RDS::DBClusterSnapshot"
    ]
  }
}

For automated remediation, consider using AWS Config auto-remediation with a Lambda function or SSM Automation document.

Verification

After making changes, confirm the snapshot is no longer public:

1. In the RDS Console, go to Snapshots
2. Select your snapshot and check the Snapshot sharing section
3. It should show Private with no accounts listed (or only specific trusted accounts)

CLI verification

For DB snapshots:

aws rds describe-db-snapshot-attributes \
  --db-snapshot-identifier <your-snapshot-id> \
  --region us-east-1

For cluster snapshots:

aws rds describe-db-cluster-snapshot-attributes \
  --db-cluster-snapshot-identifier <your-cluster-snapshot-id> \
  --region us-east-1

The output should show an empty AttributeValues list for the restore attribute, or only contain specific account IDs you trust.

Additional Resources

• Sharing a DB snapshot - Amazon RDS User Guide
• Sharing a DB cluster snapshot - Amazon Aurora User Guide
• AWS Config Managed Rule: rds-snapshots-public-prohibited
• RDS Security Best Practices

Notes

• Encrypted snapshots cannot be made public. If a snapshot is encrypted with a KMS key, AWS prevents it from being shared publicly. Consider encrypting all snapshots as an additional safeguard.
• Sharing with specific accounts is OK. This check only flags snapshots shared with "all" (public). Sharing with specific AWS account IDs is a valid use case.
• Automated snapshots cannot be shared directly. Only manual snapshots can be shared. If you see a public automated snapshot, it may have been copied to a manual snapshot first.
• Check all regions. Snapshots are region-specific. Run your checks in each region where you have RDS resources.