AWS EBS snapshot Block Public Access was disabled for an account
Description
AlphaSOC detected that the AWS Elastic Block Store (EBS) Snapshot Block Public Access feature was disabled for an account. This security control prevents public access to EBS snapshots, which are point-in-time copies of EBS volumes that often contain critical data. Disabling this protection could result in unintended exposure of sensitive data stored in EBS volumes.
Impact
Disabling EBS snapshot Block Public Access significantly increases the risk of data exposure. Sensitive information contained within EBS volumes could become publicly accessible, leading to data breaches and compliance violations. Threat actors could leverage this misconfiguration to access, copy, or modify critical data without authorization, compromising the confidentiality and integrity of the organization's cloud resources.
Severity
Severity | Condition |
---|---|
Informational | Disabled AWS EBS snapshot Block Public Access detected |
Investigation and Remediation
Review AWS CloudTrail logs to identify the account and user responsible for the change. Check for any unauthorized EBS snapshot sharing activities. Re-enable Block Public Access immediately and audit all existing EBS snapshots for public accessibility. Revoke any unintended public permissions on snapshots and verify that sensitive data hasn't been exposed or accessed by unauthorized parties.
Known False Positives
- Temporary disabling for authorized data migration or sharing between AWS accounts
- Legitimate business need for public data sharing
- Testing or development environments where public access is intentionally enabled