aws vulnerabilities ec2 Publicly shared EBS snapshot

Publicly shared EBS snapshot

PLATFORM

SERVICE

ec2

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

high

About

Elastic Block Store volumes (EBS) can be shared publicly through the AWS console or AWS CLI. Most EBS volumes contain some sensitive data since they are derived from running machines. Secrets exposure and code exposure are possible as a result of a snapshot made public.

Understanding Impact

Business Impact

EBS volumes are virtual disks from which snapshots can be created, similar to snapshot functionality in other virtualization platforms. Snapshots are frequently used for backups. These snapshots can be shared publicly, allowing anyone to access the data stored on the original disk. It is recommended to classify the dataset in volumes being snapshotted, have an automated lifecycle policy for snapshots, and detect any exposure using the public EBS setting.

Technical Impact

EBS snapshots can be shared not only with specific AWS accounts, but also publicly. Publicly sharing an EBS snapshot is generally the sign of an unintended misconfiguration. Attackers will also use public snapshots on occasion in order to exfiltrate data to another account.

Identify affected resources

Use the following command to list EBS snapshots:

aws ec2 describe-snapshots --owner self

You can then check the permissions associated with a specific EBS snapshot:

aws ec2 describe-snapshot-attribute \
    --snapshot-id "snap-01234" \
    --attribute "createVolumePermission"

When an EBS snapshot is publicly shared, its CreateVolumePermissions attribute is set to [{"Group": "all"}].

{
  "CreateVolumePermissions": [
      {
          "Group": "all"
      }
  ],
  "SnapshotId": "snap-01234"
}

Remediate vulnerable resources

Remove the configuration that makes the snapshot public.

aws ec2 modify-snapshot-attribute \
    --snapshot-id "snap-01234" \
    --attribute "createVolumePermission" \
    --operation-type "remove" \
    --group-name "all"

As a proactive measure, it's recommended to block public access for EBS snapshots, to prevent exposure:

aws ec2 enable-snapshot-block-public-access --state block-all-sharing

"Block public access to snapshots" is a regional setting. You need to enable it for each region you operate in. After enabling it, you can still share snapshots with specific AWS accounts. Attempting to share a snapshot publicly will result in an error:

Public snapshot sharing is not allowed because Block Public Access is enabled for this account

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | EBS volume snapshot should not be publicly shared".

References

Modifying EBS snapshot permissions

aws documentation

DEFCON 27: Hacking exposed EBS volumes

media.defcon.org

Hundreds of exposed Amazon cloud backups found leaking sensitive data

techcrunch.com

Block public access for EBS snapshots

aws documentation

Did you find this article helpful?

Related Vulnerabilities and Threats

vulnerabilities Dec'23

Publicly shared AMI

vulnerabilities Apr'24

Publicly shared RDS snapshot

work with us

We're always looking for talented people to collaborate with

featured positions

We have 12 positions

view all