Public EBS Snapshots mean that any AWS customer can create a volume in the same AWS Region from the EBS snapshot effectively making the data public
As a cloud platform AWS offers virtualised server infrastructure which require file systems for storage and operation. The major AWS’ file system service is Elastic Block Storage (EBS), which provides the file system storage to EC2 instances and other compute services. EBS volumes are virtualised hard drives that are provisioned and managed as required. When managing physical hard drives it is a useful feature to be able to clone the entire hard drive to another hard drive allowing for the replication of a single server set up across multiple servers. EBS has a similar cloning functionality whereby the entire EBS volume is copied known as EBS snapshots.
With this in mind, an EBS Snapshot is an entire and total copy of all data stored on an EBS Volume. As most EBS volumes are used by EC2 instances for storage and server file systems this means that snapshots include a wide range of data including:
When an EBS snapshot is publicly shared this makes a master copy of that data available for any AWS customer to utilise. This means that any data included is now in the public realm where users can view, copy, or use that data without restriction. This is generally only acceptable for open-source software or similar use cases where full data sharing is necessary and intended. In our experience, most publicly shared EBS snapshots are unintentional and are effectively data breaches.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Addressing the technical concerns for public snapshots is simple: permissions on public EBS volumes can be easily revoked, and public sharing can be blocked at the account level to prevent the same scenario occurring again. However, any volumes that have already been shared should be considered compromised, as the data has previously been publicly accessible. Therefore, it’s crucial to assess the impact of such exposure on the organization covering all areas such as intellectual property, customer data, regulations, credential loss and more. We advise our clients that in this situation a publicly shared EBS volume constitutes a data breach and should be treated with the same seriousness.
If you need help uncovering whether you have any leaked EBS Snapshots or if you need guidance then read more about our Vulnerability Assessment which automatically detects these issues the same day.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
