RDS snapshots can be shared publicly through the AWS console or AWS CLI. The feature request landed in 2015 as a request from the data science community. Most data sets that customers store contain sensitive data.
RDS instances are managed databases. RDS snapshots are for example frequently used for backups. Sharing an RDS snapshot publicly allows anyone to access all the data inside of the database.
RDS snapshots can be shared with specific AWS accounts, but can also inadvertently be made public. Publicly sharing an RDS snapshot is likely a sign of an unintended misconfiguration.
Identify affected resources
You can use the following AWS CLI command to identify publicly accessible RDS snapshots in your account:
aws rds describe-db-snapshots --snapshot-type manual --include-public aws rds describe-db-snapshots --snapshot-type automated --include-public aws rds describe-db-snapshots --snapshot-type awsbackup --include-public
Remediate vulnerable resources
To stop an RDS snapshot from being publicly shared, you can use the following AWS CLI command:
aws rds modify-db-snapshot-attribute \ --db-snapshot-identifier <your-snapshot> \ --attribute-name "restore" \ --values-to-remove "all"
Instead, you can share the RDS snapshot with specific accounts.
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | RDS snapshot is not publicly accessible".
Sharing a DB snapshot
Hundreds of Amazon RDS Instances Leaking Users' Personal Data
Amazon RDS now supports sharing database snapshots across accounts