Following Snapshot Best Practices
Trusted Advisor provides two checks for snapshots: Amazon EBS Public Snapshots and Amazon RDS Public Snapshots. Snapshots can contain sensitive information that shouldn't be accessible to the public. Trusted Advisor will recommend taking action if it detects a public snapshot.
In this Lab Step, you will follow the Trusted Advisor best practice for EBS snapshots. The process to resolve RDS public snapshot checks is similar to the process for resolving EBS snapshot checks.
1. Navigate to Dashboard > Security in Trusted Advisor.
2. Locate the Amazon EBS Public Snapshots check.
A public EBS snapshot was created in this AWS account when the lab was started.
You may see the check show as green:
This is because EBS and RDS snapshot checks are refreshed at Amazon's discretion several times per day, and they can't be refreshed manually in the Trusted Advisor console. If a check hasn't occurred since you started the lab, the public EBS snapshot won't have been detected by Trusted Advisor yet.
You can still complete the rest of this lab step and see how to resolve the issue that would cause this check to be red.
3. Click on the triangle to expand the details.
4. Navigate to the EBS Snapshots section of the Amazon EC2 Console.
Note: If you see the Trusted Advisor check as red, you can click the snapshot Id link to go directly to the Amazon EC2 Console.
You will see one snapshot listed:
The snapshot contains important data that should not be exposed to the public. You will take action to limit the availability of the snapshot. If the snapshot was determined to be intentionally exposed to the public, no further action would be needed.
6. To verify that the snapshot is currently public, with the snapshot selected, click the Permissions tab:
7. Click Modify Permissions.
8. In the Modify Permissions dialog, select the Private radio button.
9. Click Add account, enter the following and click Add:
- AWS Account Number: 987654321098 (An arbitrary account number)
You happen to know that the snapshot needs to be shared with that particular account. If you don't Add Permission, the snapshot is only available to your current AWS account.
10. Click Save changes.
At this point, the Trusted Advisor check would detect no problems with the snapshot.
Note: Until it is possible to refresh the check manually, there is no way to verify this except by waiting until an automatic refresh.
In this Lab Step, you learned about Trusted Advisor's snapshot checks. You took action to resolve a security issue identified with a snapshot created for you by the Cloud Academy Lab environment.