lacework-global-370

Relational Database Service (RDS) snapshot should be private (Automated)

Description

This policy checks whether Amazon RDS snapshots are public and fails if a snapshot is public. You can create RDS snapshots to back up the data on your RDS instances at a specific point in time. You use these snapshots to restore previous states of RDS instances.

An RDS snapshot should not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all AWS accounts. This may result in unintended data exposure of your RDS instance.

Remediation

From the AWS Console:

Log in to the AWS Management Console.
Click Services.
Select Database > RDS.
Click Snapshots.
Select the applicable snapshot.
Click the Actions drop down button, and select Share snapshot.
Under DB snapshot visibility, select the Private radio button.
Click save.

From CLI:

aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all

References

https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-1
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing

Relational Database Service (RDS) snapshot should be private (Automated)​

Description​

Remediation​

References​

Relational Database Service (RDS) snapshot should be private (Automated)

Description

Remediation

References