You now have the ability to disable public sharing of new, and optionally existing, Amazon Elastic Block Store (Amazon EBS) snapshots on a per-region, per-account basis. This provides you with another level of protection against accidental or inadvertent data leakage.
EBS Snapshot Review
You have had the power to create EBS snapshots since the launch of EBS in 2008, and have been able to share them privately or publicly since 2009. The vast majority of snapshots are kept private and are used for periodic backups, data migration, and disaster recovery. Software vendors use public snapshots to share trial-use software and test data.
Block Public Sharing
EBS snapshots have always been private by default, with the option to make individual snaps public as needed. If you do not currently use and do not plan to use public snapshots, you can now disable public sharing using the AWS Management Console, AWS Command Line Interface (AWS CLI), or the new EnableSnapshotBlockPublicAccess
function. Using the Console, I visit the EC2 Dashboard and click Data protection and security in the Account attributes box:
Then I scroll down to the new Block public access for EBS snapshots section, review the current status, and click Manage:
I click Block public access, choose Block all public sharing, and click Update:
This is a per-region setting, and it takes effect within minutes. I can see the updated status in the console:
I inspect one of my snapshots in the region, and see that I cannot share it publicly:
As you can see, I still have the ability to share the snapshot with specific AWS accounts.
If I have chosen Block all public sharing, any snapshots that I have previously shared will no longer be listed when another AWS customer calls DescribeSnapshots in pursuit of publicly accessible snapshots.
Things to Know
Here are a couple of really important things to know about this new feature:
Region-Level – This is a regional setting, and must be applied in each region where you want to block the ability to share snapshots publicly.
API Functions & IAM Permissions – In addition to EnableSnapshotBlockPublicAccess
, other functions for managing this feature include DisableSnapshotBlockPublicAccess
and GetSnapshotBlockPublicAccessState
. To use these functions (or their console/CLI equivalents) you must have the ec2:EnableSnapshotBlockPublicAccess
, ec2:DisableSnapshotBlockPublicAccess
, and ec2:GetSnapshotBlockPublicAccessState
IAM permissions.
AMIs – This does not affect the ability to share Amazon Machine Images (AMIs) publicly. To learn how to manage public sharing of AMIs, visit Block public access to your AMIs.
— Jeff;