Creating secure snapshots for Instances & volumes

In AWS, snapshots are created for backup of virtual hard disk drives used by EC2 instances. These are also called Elastic Block Store (EBS) snapshots which are created using EBS virtual hard disk drive volumes.

EBS snapshots are a very good method of backing up EC2 instance’s virtual hard drive for troubleshooting point in time issues or simply share it to use with other EC2 instances within your account or publicly. A snapshot can be created for both EBS Volume and EC2 instance

Creating an EC2 snapshot is simple by its process.

1. From EC2 page select snapshot

2. Click on create a snapshot

3. Select resource type as “Instance”

4. Select the instance ID from the list of available instances

5. Fill in other information and click on create a snapshot

By default, a snapshot is created in private mode. This means that you cannot share this snapshot with other AWS accounts without explicitly mentioning it. This is the beauty of AWS considering the secure design principle of Fail-Safe Defaults. Which is nothing but unless explicitly mentioned the access is denied by default.

Now, since this snapshot will not be shared with anyone else except to your account; there seems to be no problem or security concerns. But there are situations where you would like to share the snapshots created for various reasons.

So, how does one make a snapshot public? It’s pretty simple;

In the snapshots page, select the snapshot that you wanted to make public and select on actions, click on modify permissions. Now you can see this snapshot is currently private, select public and save.

It’s as simple as that to make a snapshot public. Creating a public snapshot at the beginning does not seems to be an issue. The problem is that the power of making a virtual hard disk drive publicly available is scary that too if it contains potential sensitive data.

Be aware like exposed s3 buckets, publicly available snapshots are also continually monitored by hackers & cyber attackers.

I have explained to you how can a virtual hard disk drive snapshot can be made public. How do we get an alert if the snapshot was created in test or production accounts?

Simply create a CloudWatch event to trigger an alert when someone creates a public or modifies the permission attributes to public of EBS snapshot.

Alternatively, if you would like to restrict a user to block access to modify the snapshot attribute, use the below IAM policy.

I hope this information has been useful. Thank you for taking the time to read my writeup. I will see you at my next writeup.