Prowler HUB

Check if RDS Snapshots and Cluster Snapshots are public.

rds_snapshots_public_access

Severitycritical

Servicerds

by Prowler

internet-exposed

Check if RDS Snapshots and Cluster Snapshots are public.

Risk

Publicly accessible services could expose sensitive data to bad actors. t is recommended that your RDS snapshots should not be public in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. If your RDS snapshot is public, then the data which is backed up in that snapshot is accessible to all other AWS accounts.

Run this check with Prowler CLI

prowler aws --checks rds_snapshots_public_access

Run in Prowler Cloud

Fix finding with Prowler CLIfixer

prowler aws --checks rds_snapshots_public_access --fixer

ARN template

arn:aws:rds:region:account-id:snapshot

Remediation

CLI

aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all

Other

https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/RDS/public-snapshots.html

WUI

Use AWS Config to identify any snapshot that is public.

References:

https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html

Source Code

References

https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html

Resource Type

AwsRdsDbSnapshot

Check MetadataEdit

Check CodeEdit

Fixer CodeEdit