Control: AWS > PCI v3.2.1 > EC2 > 1 Amazon EBS snapshots should not be publicly restorable

This control checks whether Amazon Elastic Block Store snapshots are not publicly restorable by everyone, which makes them public. Amazon EBS snapshots should not be publicly restorable by everyone unless you explicitly allow it, to avoid accidental exposure of your company’s sensitive data.

You should also ensure that permission to change Amazon EBS configurations are restricted to authorized AWS accounts only. Learn more about managing Amazon EBS snapshot permissions in the Amazon EC2 User Guide for Linux Instances.

Remediation

1. Open the Amazon EC2 console. 2. In the navigation pane, under Elastic Block Store, choose Snapshots and then select your public snapshot. 3. Choose Permissions tab from metadata view section, click Edit 4. Choose Private in This snapshot is currently 5. Choose Save

PCI requirement(s): 1.2.1, 1.3.1, 1.3.4, 1.3.4, 7.2.1

Resource Types

This control targets the following resource types:

AWS > EC2 > Snapshot

Policies

This control type relies on these other policies when running actions:

AWS > PCI v3.2.1

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/ebsSnapshotNotPubliclyRestorable

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/ebsSnapshotNotPubliclyRestorable") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/ebsSnapshotNotPubliclyRestorable'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/ebsSnapshotNotPubliclyRestorable"