All EBS snapshots have public access blocked
ec2_ebs_snapshot_account_block_public_access
EBS snapshots account/Region configuration for Block Public Access is assessed to see whether public sharing is fully blocked (block-all-sharing) versus only new sharing (block-new-sharing) or unblocked. The state indicates if any snapshot can be publicly shared.
Risk
Without block-all-sharing, previously public snapshots can remain accessible, exposing raw disk data.
Impacts:
- Loss of confidentiality (PII, keys, configs)
- Unauthorized cloning enabling lateral movement
- Cross-account copies create irreversible data leakage
prowler aws --checks ec2_ebs_snapshot_account_block_public_access
prowler aws --checks ec2_ebs_snapshot_account_block_public_access --fixer
Recommendation
Set Block Public Access for EBS snapshots to block-all-sharing in all active Regions.
Apply least privilege and guardrails (SCPs) to prevent changes. Regularly inventory snapshots, remove public sharing, and use segregated accounts with strict reviews for any necessary external sharing.
Remediation
aws ec2 enable-snapshot-block-public-access --state block-all-sharing
- In the AWS console, select the target Region in the top-right.
- Go to EC2 > Snapshots.
- Click Settings > Block public access for snapshots.
- Select Block all sharing.
- Click Save changes.
Source Code
Resource Type
AwsEc2Volume