Kloudle
academy

Restricting access to your RDS snapshots

Riyaz Walikar
#aws#cloudsecurity#rds#snapshot
Feature image

Introduction

AWS RDS provides users the capability to create and share database snapshots with other accounts or store them as backup.

However, the same permission page also allows making the snapshot public, which basically means that the snapshot is accessible to any AWS user in that particular region. If a snapshot is accessible, it is possible to create a database instance out of the snapshot. While creating a new instance out of a snapshot, it’s possible to reset the password of the master user. If some confidential data is stored in these public snapshots, it can give any AWS user complete access to the database instance and the data within.

In this article we will take a look at how a public RDS snapshot can be converted into a private snapshot. We will cover how this can be done using the AWS console as well as the AWS CLI

Changing a public RDS snapshot to private

Using AWS console you can follow the steps below to change RDS snapshot from public to private:

  1. Sign in to the AWS Management Console and navigate to RDS dashboard

  2. Navigate to Snapshots in the RDS Dashboard.

    RDS dashboard navigation panel

  3. Select Manual tab on Snapshots page.

    RDS manual snapshot

  4. Select the RDS snapshot name that you want to make private.

  5. Click the Actions button from the dashboard top menu and select Share Snapshot option.

    RDS share snapshot

  6. On the Snapshot Permissions page, select Private under DB Snapshot Visibility to make the selected snapshot accessible only from the current AWS account. Click Save to apply the changes.

    Snapshot Permissions to private

The steps below allow you to change RDS snapshot from public to private using the AWS CLI:

  1. To remove the permissions for restoring database instances from the selected snapshot and make it private

    aws rds modify-db-snapshot-attribute --region <value> --db-snapshot-identifier <value> --attribute-name restore --values-to-remove all

    rds modify db snapshot

Conclusion

When a snapshot is shared publicly, it gives all AWS accounts permission to copy the snapshot and to create DB instances from it. Hence it essential to make sure that when you are sharing a snapshot as public, none of your confidential information is included in the public snapshot.

← Back to Academy