RDS Snapshot Exposed to Public or Untrusted Account

Overview

RDS database snapshots often contain sensitive information. Anyone in control of a AWS account with access to this snapshot can view all of the data in the snapshot by copying it to their account and/or creating a new RDS instance from this snapshot.

Consider deleting the snapshot if it is no longer needed or refer to the AWS Documentation to change its visibility to private and remove any untrusted accounts.

Vendor

AWS

Cloud Service

RDS

Input

{"trustAllConnectedAccounts":{"label":"Trust All Known Accounts","value":true,"type":"boolean","helpText":"If true, all AWS Accounts known to Cloud Defense will be trusted and therefore ignored if found by this check, in addition to any accounts in Trusted Accounts."},"trustedAccountIds":{"label":"Trusted AWS Account IDs","helpText":"A list of AWS Account IDs to trust and therefore ignore if found by this check.","value":[],"type":"string[]"}}

PCI DSS 1.2.1, PCI DSS 1.3.1, PCI DSS 1.3.4, PCI DSS 1.3.6, PCI DSS 7.2.1

RDS.1

References

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html

Severity

Item Types

AWS::RDS::DBSnapshot

Overview​

Vendor​

Cloud Service​

Input​

Related Requirements​

Related Controls​

References​

Severity​

Item Types​