About
RDS snapshots can be shared publicly through the AWS console or AWS CLI. The feature request landed in 2015 as a request from the data science community. Most data sets that customers store contain sensitive data.
Understanding Impact
Business Impact
RDS instances are managed databases. RDS snapshots are for example frequently used for backups. Sharing an RDS snapshot publicly allows anyone to access all the data inside of the database.
Technical Impact
RDS snapshots can be shared with specific AWS accounts, but can also inadvertently be made public. Publicly sharing an RDS snapshot is likely a sign of an unintended misconfiguration.
Identify affected resources
You can use the following AWS CLI command to identify publicly accessible RDS snapshots in your account:
aws rds describe-db-snapshots --snapshot-type manual --include-public
aws rds describe-db-snapshots --snapshot-type automated --include-public
aws rds describe-db-snapshots --snapshot-type awsbackup --include-public
Remediate vulnerable resources
To stop an RDS snapshot from being publicly shared, you can use the following AWS CLI command:
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier <your-snapshot> \
--attribute-name "restore" \
--values-to-remove "all"
Instead, you can share the RDS snapshot with specific accounts.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | RDS database instance snapshots should not be publicly shared".
References
Sharing a DB snapshot
aws documentation
Hundreds of Amazon RDS Instances Leaking Users' Personal Data
thehackernews.com
Amazon RDS now supports sharing database snapshots across accounts
aws.amazon.com