How to Modify Permissions to EBS Snapshots
Restricting Access to EBS Snapshots
To back up the data on your EBS volumes, you can take snapshots of your EBS volumes, which are sent to S3. These snapshots, as described by AWS, are “incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data. Each snapshot contains all of the information that is needed to restore your data to a new EBS volume.”
While AWS does allow you to make your EBS snapshots public, we recommend restricting access to your EBS snapshots by making them private, unless you have a specific business need that requires this. In this demo, AWS expert Mike Wise will teach you how to validate that your EBS snapshots are private.
- From the AWS Management Console, navigate to the EC2 Dashboard, then Snapshots.
- Select an existing snapshot to analyze, then open the Permissions tab.
- Click Edit, which will open a Modify Permissions box. Here, you can set the snapshot to be public or private. All snapshots be set to Private.
For a visual guide on how to modify the permissions of EBS snapshots, watch the full demo.
So, you’re going to want to log in as a user that has access to the EC2 console and has appropriate permissions to be able to see what we’re going to look at. You’re going to search for “EC2.” You’re going to go over to “EC2.” Now, you’re going to scroll down on the left-hand side and you’re going to look for the “Snapshots” setting. As you can see here, we have a snapshot available, so we’re going to look at the permissions on this snapshot. We’re going to go over and click on the “Permissions” tab. Then, we’re going to look at the permissions and it says “This snapshot is currently Private.” This means that it’s not public. Let’s see how we can identify if a snapshot was public. Let’s edit this. We’re going to make this snapshot public. We’re going to save it. We’re going to refresh the screen. We’ll go back and look at permissions. Now you can see that it says “This snapshot is currently Public.” That means that it’s a publicly available snapshot, which should not be the case. Let’s make this back to private. We’re going to save it. We’re going to go look at the “Volumes”. Now, we’re at private again. Ensuring that your snapshots aren’t publicly available is a critical part of your security footprint. Making sure that we’re going in and checking that these snapshots are not public and they are marked as private is going to be an important part of that.