AWS RDS provides users the capability to create and share database snapshots with other accounts or store them as backup.
However, the same permission page also allows making the snapshot public, which basically means that the snapshot is accessible to any AWS user in that particular region. If a snapshot is accessible, it is possible to create a database instance out of the snapshot. While creating a new instance out of a snapshot, it’s possible to reset the password of the master user. If some confidential data is stored in these public snapshots, it can give any AWS user complete access to the database instance and the data within.
In this article we will take a look at how a public RDS snapshot can be converted into a private snapshot. We will cover how this can be done using the AWS console as well as the AWS CLI
Using AWS console you can follow the steps below to change RDS snapshot from public to private:
Sign in to the AWS Management Console and navigate to RDS dashboard
Navigate to Snapshots in the RDS Dashboard.
Select Manual tab on Snapshots page.
Select the RDS snapshot name that you want to make private.
Click the Actions button from the dashboard top menu and select Share Snapshot option.
On the Snapshot Permissions page, select Private under DB Snapshot Visibility to make the selected snapshot accessible only from the current AWS account. Click Save to apply the changes.
The steps below allow you to change RDS snapshot from public to private using the AWS CLI:
To remove the permissions for restoring database instances from the selected snapshot and make it private
aws rds modify-db-snapshot-attribute --region <value> --db-snapshot-identifier <value> --attribute-name restore --values-to-remove all
When a snapshot is shared publicly, it gives all AWS accounts permission to copy the snapshot and to create DB instances from it. Hence it essential to make sure that when you are sharing a snapshot as public, none of your confidential information is included in the public snapshot.