RDS DB snapshots and DB cluster snapshots with public visibility (shared with all AWS accounts) are detected.
Snapshots limited to specific accounts or kept private are identified as restricted.
Risk
Public RDS snapshots expose full database copies to all AWS accounts, risking:
- Loss of confidentiality via data exfiltration (PII, secrets)
- Offline cracking of hashes and schema reconnaissance
- Credential harvesting from dumps enabling lateral movement This directly compromises confidentiality and fuels targeted attacks.
prowler aws --checks rds_snapshots_public_access
prowler aws --checks rds_snapshots_public_access --fixer
Recommendation
Keep RDS snapshots and cluster snapshots private. Share only with explicit AWS account IDs using least privilege and time-bound access.
Enforce guardrails to block public visibility, require approvals for sharing, and audit snapshot permissions. Use encryption with strict key policies to control who can restore data.
Remediation
aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot_id> --attribute-name restore --values-to-remove all
- Open the Amazon RDS console and go to Snapshots
- Select the public snapshot (DB snapshot or DB cluster snapshot)
- Click Actions > Share snapshot
- Set visibility to Private (remove "All" from permissions) and click Save
Source Code
Resource Type
AwsRdsDbSnapshot
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/RDS/public-snapshots.html
- https://docs.aws.amazon.com/config/latest/developerguide/rds-snapshots-public-prohibited.html
- https://support.icompaas.com/support/solutions/articles/62000127056-ensure-rds-snapshots-and-cluster-snapshots-are-not-public