All cheat sheets
Cost Governancecheat sheet

Trusted Advisor — Public EBS Snapshots

A public EBS snapshot is a disk image of your server any AWS customer can copy — a security incident first, a cleanup second. Making it private stops future access but can't undo copies already made. Rotate exposed credentials, then delete.

Last reviewed: July 14, 2026

TL;DR: A public EBS snapshot is a full disk image of one of your servers that any AWS customer in the world can copy with one CLI call — and it can hold customer PII, hardcoded API keys, source code, or SSH keys. It's a security finding first, a cleanup second. The critical fact: making it private stops future access but does nothing about copies already made during the public window. Treat a confirmed-sensitive one as a breach — rotate credentials, follow incident process — then delete. This check is free even on Basic Support.

The numbers

  • Flagged when CreateVolumePermission includes all (any AWS account can create-volume from it).
  • Almost always accidental and old — a wrong dropdown during AMI sharing, an IaC launch_permission { group_names = ["all"] }, or a years-old "share with the community" experiment; many findings are 2+ years old.
  • Cost is secondary: public snapshots bill like any snapshot (~$0.05/GB-mo), but most are forgotten artifacts, so remediation ends in deletion — a typical audit finds 10–40 snapshots (50–500 GB each) and recovers $30–200/month plus removes major exposure.
  • Field examples: a fintech's first audit found 18 public snapshots (4 with baked-in credentials → treated as incidents); a misconfigured Packer pipeline emitted one public snapshot per week for 47 weeks — fixed in 5 minutes of config.

Do this

  1. Open Trusted Advisor → Security → Amazon EBS Public Snapshots and sort by creation date descending — recent ones most likely hold current credentials.
  2. Make private first (reversible), then decide keep-vs-delete: aws ec2 modify-snapshot-attribute --snapshot-id <id> --create-volume-permission "Remove=[{Group=all}]".
  3. For any that held sensitive data, run breach response — restore to a private volume to inventory contents, rotate every credential that was on disk, follow your incident and regulatory-notification process (clock starts when you knew).
  4. Fix the root cause in IaC — grep Terraform/CloudFormation/Packer for ["all"] / group_names = ["all"] / ami_groups, replace with specific account IDs, add a CI lint that fails builds containing ["all"].
  5. Add prevention: the AWS Config rule ec2-ebs-snapshot-public-restorable-check (detect or auto-remediate) plus an Org SCP denying ec2:ModifySnapshotAttribute with all.

Gotchas

  • Making private ≠ full remediation — anyone who copied it during the public window has an independent copy you can't delete; assume exposure is total within that window.
  • AMIs and snapshots are separate permissions — making an AMI public makes its snapshots public; fixing snapshots doesn't fix the AMI (createVolumePermission vs imagePermission).
  • Encryption is a partial mitigation only — a public encrypted snapshot whose KMS key isn't shared can't be volume-created by outsiders, but never rely on it as the primary control.
  • Trusted Advisor lags ~24h after remediation, and it won't trust your "intentionally public" tags — keep an internal register and skip those in review.

Skip this if

Run this audit with your AI assistant

Paste this into Claude, ChatGPT, or any agent that can run the AWS CLI with read-only credentials. It audits your account for exactly the waste this sheet describes — and changes nothing.

You are auditing an AWS account for public EBS snapshots (a security +
cost finding). Use the AWS CLI with READ-ONLY credentials. Do not create,
modify, or delete anything — report findings and recommended (unapplied)
fixes only.

1. Find public snapshots: aws ec2 describe-snapshots --owner-ids self,
   then for each check describe-snapshot-attribute --attribute
   createVolumePermission for Group=all. Capture id, size, encrypted?,
   creation date, description, source volume.
2. Sensitivity triage: from description + source-volume role, categorize
   each: confirmed-sensitive (prod/DB/credentials), probably-benign
   (test/scratch), or unknown (treat as sensitive). Flag UNENCRYPTED
   public snapshots as highest priority.
3. Exposure facts: note that making private stops FUTURE access only —
   recommend rotating any credentials that lived on the disk and
   following incident process for confirmed-sensitive ones. Check
   CloudTrail ModifySnapshotAttribute for when/who made it public.
4. Prevention: check for AWS Config rule ec2-ebs-snapshot-public-
   restorable-check and any Org SCP denying public-snapshot modification;
   grep IaC for launch_permission group "all".

Report a table: snapshot | size | encrypted? | age | sensitivity | action
(make-private+delete / make-private+keep / incident-response). Change
nothing.
Works with any assistant that can run shell commands.

Want the guided version?

The Trusted Advisor — Public EBS Snapshots walkthrough covers this topic interactively — it asks about your setup, branches to what’s relevant, and quizzes you on the tricky parts. Free and anonymous.

Start the walkthrough