Compliance Frameworks
BETA// Beta Mapping Disclaimer
Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.
Overview
Prevent Amazon EBS and RDS snapshots from being configured as publicly restorable across the entire organization using a combination of SCPs (preventative) and AWS Config managed rules with automated remediation (detective and corrective).
A publicly shared EBS or RDS snapshot is immediately accessible to any AWS account worldwide without authentication. The data within - which may include full database dumps, application volumes, secrets embedded in AMIs, or configuration files - is exposed at the snapshot level, bypassing all bucket policies, IAM boundaries, and network controls. This control operates at two layers. The preventative layer uses an SCP applied at the OU or root level to deny the ec2:ModifySnapshotAttribute action when the target group is "all", blocking public sharing before it takes effect. The detective layer deploys the AWS Config managed rules ebs-snapshot-public-restorable-check and rds-snapshots-public-prohibited as organization-level rules from the delegated administrator account, with EventBridge-triggered Lambda remediation to revoke public permissions on any snapshot that reaches a non-compliant state. Security Hub aggregates findings from both Config rules centrally in the security account.
Publicly exposed snapshots are one of the most severe and direct data exfiltration vectors in AWS. Unlike misconfigured S3 buckets, snapshot exposure is binary - there is no partial access model. Any account that can enumerate public snapshots gains full read access to the contained data. Real-world incidents involving accidentally public RDS snapshots have resulted in the exposure of complete production databases. Enforcing this control centrally via SCP removes the dependency on member account teams to configure snapshot permissions correctly, which is particularly important in landing zones with many member accounts and varying security maturity.
Remediation Strategy
Remove public permissions from any non-compliant EBS or RDS snapshot using the AWS CLI or deploy automated Lambda remediation triggered by AWS Config.
Identify public snapshots via CLI discovery or Config compliance details.
Run modify-snapshot-attribute (EBS) or modify-db-snapshot-attribute (RDS) to remove the 'all' group.
Deploy organization-level Config rules with Lambda auto-remediation for continuous enforcement.
# EBS
aws ec2 describe-snapshots \
--region eu-central-1 \
--owner-ids self \
--restorable-by-user-ids all \
--query 'Snapshots[*].{ID:SnapshotId,Time:StartTime,Volume:VolumeId}' \
--output table
# RDS (Manual & Cluster)
aws rds describe-db-snapshots \
--region eu-central-1 \
--snapshot-type manual \
--include-public \
--query 'DBSnapshots[?PubliclyAccessible==`true`].{ID:DBSnapshotIdentifier,Instance:DBInstanceIdentifier,Created:SnapshotCreateTime}' \
--output table
aws rds describe-db-cluster-snapshots \
--region eu-central-1 \
--snapshot-type manual \
--include-public \
--query 'DBClusterSnapshots[?PubliclyAccessible==`true`].{ID:DBClusterSnapshotIdentifier,Cluster:DBClusterIdentifier,Created:SnapshotCreateTime}' \
--output tableEnforcement Logic
Two AWS Config managed rules provide continuous detection by flagging any snapshot where the createVolumePermission or restore attribute includes "all".
# EBS
aws ec2 describe-snapshot-attribute \
--snapshot-id <ID> \
--attribute createVolumePermission \
--query 'CreateVolumePermissions'
# RDS Manual & Cluster
aws rds describe-db-snapshot-attributes \
--db-snapshot-identifier <ID> \
--query 'DBSnapshotAttributesResult.DBSnapshotAttributes'
aws rds describe-db-cluster-snapshot-attributes \
--db-cluster-snapshot-identifier <ID> \
--query 'DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes'Cross-account snapshot sharing with explicitly named AWS account IDs is permitted and is not affected by this control. The SCP condition targets only the group value "all"; sharing with a named account ID proceeds normally through standard IAM and resource-based policies.
Snapshots used for regulated data migration to a trusted partner account may be temporarily shared with that specific account ID under a time-limited change request. Public sharing (group "all") remains prohibited without exception.
The SCP condition for EBS uses ec2:Add/group as the condition key, which is the correct key for ModifySnapshotAttribute actions that add group permissions. Verify this key is supported in your AWS Organizations policy engine version before applying at root level - test on a non-critical OU first. Note that AWS does not emit CloudTrail events when a third party enumerates or restores a public snapshot - exposure prior to remediation is not retroactively detectable through logs alone.