1. Follow Best Practices with AWS Trusted Advisor

Following Snapshot Best Practices

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Understanding AWS Trusted Advisor
lock
Following Security Group Best Practices
lock
Following Identity and Access Management Best Practices
lock
Enabling Multi-Factor Authentication on Your AWS Account
lock
Following Snapshot Best Practices
lock
Following Service Limits Best Practices
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

Trusted Advisor provides two checks for snapshots: Amazon EBS Public Snapshots and Amazon RDS Public Snapshots. Snapshots can contain sensitive information that shouldn't be accessible to the public. Trusted Advisor will recommend taking action if it detects a public snapshot.

In this lab step, you will follow the Trusted Advisor best practice for EBS snapshots. The process to resolve RDS public snapshot checks is similar to the process for resolving EBS snapshot checks.

 

Instructions

1. Navigate to Recommendations > Security in Trusted Advisor.

 

2. Locate the Amazon EBS Public Snapshots check.

A public EBS snapshot was created in this AWS account when the lab was started.

You may see the check show as green:

alt

This is because EBS and RDS snapshot checks are refreshed at Amazon's discretion several times per day, and they can't be refreshed manually in the Trusted Advisor console. If a check hasn't occurred since you started the lab, the public EBS snapshot won't have been detected by Trusted Advisor yet.

You can still complete the rest of this lab step and see how to resolve the issue that would cause this check to be red.

 

3. Click on the triangle to expand the details.

 

4. Navigate to the EBS Snapshots section of the Amazon EC2 Console.

Note: If you see the Trusted Advisor check as red, you can click the snapshot Id link to go directly to the Amazon EC2 Console.

You will see one snapshot listed:

alt

The snapshot contains important data that should not be exposed to the public. You will take action to limit the availability of the snapshot. If the snapshot was determined to be intentionally exposed to the public, no further action would be needed.

 

6. To verify that the snapshot is currently public, with the snapshot selected, click the Permissions tab:

alt

 

7. Click Modify Permissions.

 

8. In the Modify Permissions dialog, select the Private radio button.

 

9.  Click Add account, enter the following and click Add:

  • AWS Account Number987654321098 (An arbitrary account number)

alt

You happen to know that the snapshot needs to be shared with that particular account. If you don't Add Permission, the snapshot is only available to your current AWS account.

 

10. Click Save changes.

At this point, the Trusted Advisor check would detect no problems with the snapshot.

Note: Until it is possible to refresh the check manually, there is no way to verify this except by waiting until an automatic refresh.

 

Summary 

In this lab step, you learned about Trusted Advisor's snapshot checks. You took action to resolve a security issue identified with a snapshot created for you by the Cloud Academy lab environment.