Publicly shared EBS snapshot







February 21, 2023

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




Elastic Block Store volumes (EBS) can be shared publicly through the AWS console or AWS CLI. Most EBS volumes contain some sensitive data since they are derived from running machines. Secrets exposure and code exposure are possible as a result of a snapshot made public.

Understanding Impact

Business Impact

EBS volumes are virtual disks from which snapshots can be created, similar to snapshot functionality in other virtualization platforms. Snapshots are frequently used for backups. These snapshots can be shared publicly, allowing anyone to access the data stored on the original disk. It is recommended to classify the dataset in volumes being snapshotted, have an automated lifecycle policy for snapshots, and detect any exposure using the public EBS setting.

Technical Impact

EBS snapshots can be shared not only with specific AWS accounts, but also publicly. Publicly sharing an EBS snapshot is generally the sign of an unintended misconfiguration. Attackers will also use public snapshots on occasion in order to exfiltrate data to another account.

Identify affected resources

Use the following command to list EBS snapshots:

aws ec2 describe-snapshots --owner self

You can then check the permissions associated with a specific EBS snapshot:

aws ec2 describe-snapshot-attribute \
    --snapshot-id "snap-01234" \
    --attribute "createVolumePermission"

When an EBS snapshot is publicly shared, its CreateVolumePermissions attribute is set to [{"Group": "all"}].

  "CreateVolumePermissions": [
          "Group": "all"
  "SnapshotId": "snap-01234"

Remediate vulnerable resources

Remove the configuration that makes the snapshot public.

aws ec2 modify-snapshot-attribute \
    --snapshot-id "snap-01234" \
    --attribute "createVolumePermission" \
    --operation-type "remove" \
    --group-name "all"

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | EBS volume snapshot is not publicly shared with other AWS accounts".


Modifying EBS snapshot permissions

aws documentation

DEFCON 27: Hacking exposed EBS volumes

Hundreds of exposed Amazon cloud backups found leaking sensitive data

Related Vulnerabilities and Threats