I've been working almost exclusively in the AWS space for about 10 years now. Clients anywhere from tiny little three-person consultancies to Fortune 100. Commercial, govcloud, dozens of clients.<p>Never once have I ever found a use case for making public EBS snapshots.<p>Who on Earth is thinking that it is a good idea to take an EBS snapshot and make it public?<p>Note, several of those engagements did involve multiple accounts, and the need to share / copy AMIs and/or snapshots between accounts. But never making them public.
The creator of the first Ubuntu distros for EC2 wrote about the dangers of public EBS snapshots 10 years ago:<p><a href="https://alestic.com/2009/09/ec2-public-ebs-danger/" rel="nofollow">https://alestic.com/2009/09/ec2-public-ebs-danger/</a><p>He just got notified by AWS a couple days ago about the public snapshot he mentioned in the article.<p>But at least AWS is trying to make things better here by proactively checking for public EBS snapshots and notifying people.
Public EBS snapshots are great, and thankfully a design other clouds didn't copy. I've found all kinds of stuff in there, including a 900GB Oracle backup of a publicly traded manufacturer's accounting system. It doesn't require much imagination to understand how this kind of data could be profited from, given relatively low effort<p>It seems unlikely a lot of people didn't already know about this, it's hard to miss even if you only spend a few days with the EC2 API, and it's also quite surprising AWS have yet to correct the design. 90% chance it is mostly a UI problem -- there are no warning labels around snapshotting in the EC2 UI
Oh god, how much I hate articles that don‘t list their sources. Where are the slides from?<p>The talk description is here:
<a href="https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Morris" rel="nofollow">https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Mo...</a>
AWS Trusted Advisor has warned of this since 2017:<p><a href="https://aws.amazon.com/about-aws/whats-new/2017/06/aws-trusted-advisor-now-checks-for-public-snapshots-of-amazon-elastic-block-store-ebs-and-amazon-relational-database-service-rds-data/" rel="nofollow">https://aws.amazon.com/about-aws/whats-new/2017/06/aws-trust...</a>
I just checked an EC2 console and I can see 19,356 snapshots created by other users.<p>I am so confused.<p>It would be trivial to make finding a snapshot require knowing a unique ID like an AMI.<p>And, why do I need to be able to search for 1000s of customers' public snapshots in the EC2 console? What conceivable purpose does that serve except being a giant opsec fail?
I had a simple glance in the console and there are like 20,000 exposed ebs snapshots - available for anyone to copy and examine - I think that's only for a single region too - switch regions to see more.<p>Amazon should make an emergency decision to make all these private.<p>Sure it will break stuff but I'd be disappointed if Amazon left what is in effect a security hole open for the sake of backwards compatibility.<p>They should also give me a single click link when I sign in to show me all of my public ebs snapshots and throw it hard in my face when I sign in to the console so I simply cannot avoid seeing them all.<p>I have multiple AWS accounts and I just signed in to try to see if I have any public EBS snapshots and then I realised I would need to search <i></i>every single region in every single account and then select every snapshot one by one<i></i> to find out. That's a huge problem. I need a single click to show me every exposed snapshot across every region in my account.<p>UPDATE:<p>I can't say for sure if this is 100% right but I think if you sign in to your AWS account, then click on each of these links, you will find if you have public snapshots.<p>Maybe someone else could confirm if this is correct?<p><a href="https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=us-east-2#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://us-east-2.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://us-west-1.console.aws.amazon.com/ec2/v2/home?region=us-west-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://us-west-1.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=us-west-2#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://us-west-2.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://ca-central-1.console.aws.amazon.com/ec2/v2/home?region=ca-central-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ca-central-1.console.aws.amazon.com/ec2/v2/home?regi...</a><p><a href="https://eu-central-1.console.aws.amazon.com/ec2/v2/home?region=eu-central-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://eu-central-1.console.aws.amazon.com/ec2/v2/home?regi...</a><p><a href="https://eu-west-1.console.aws.amazon.com/ec2/v2/home?region=eu-west-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://eu-west-1.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://eu-west-2.console.aws.amazon.com/ec2/v2/home?region=eu-west-2#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://eu-west-2.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://eu-west-3.console.aws.amazon.com/ec2/v2/home?region=eu-west-3#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://eu-west-3.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://eu-north-1.console.aws.amazon.com/ec2/v2/home?region=eu-north-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://eu-north-1.console.aws.amazon.com/ec2/v2/home?region...</a><p><a href="https://ap-east-1.console.aws.amazon.com/ec2/v2/home?region=ap-east-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ap-east-1.console.aws.amazon.com/ec2/v2/home?region=...</a><p><a href="https://ap-northeast-1.console.aws.amazon.com/ec2/v2/home?region=ap-northeast-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ap-northeast-1.console.aws.amazon.com/ec2/v2/home?re...</a><p><a href="https://ap-northeast-2.console.aws.amazon.com/ec2/v2/home?region=ap-northeast-2#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ap-northeast-2.console.aws.amazon.com/ec2/v2/home?re...</a><p><a href="https://ap-northeast-3.console.aws.amazon.com/ec2/v2/home?region=ap-northeast-3#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ap-northeast-3.console.aws.amazon.com/ec2/v2/home?re...</a><p><a href="https://ap-southeast-1.console.aws.amazon.com/ec2/v2/home?region=ap-southeast-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ap-southeast-1.console.aws.amazon.com/ec2/v2/home?re...</a><p><a href="https://ap-southeast-2.console.aws.amazon.com/ec2/v2/home?region=ap-southeast-2#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ap-southeast-2.console.aws.amazon.com/ec2/v2/home?re...</a><p><a href="https://ap-south-1.console.aws.amazon.com/ec2/v2/home?region=ap-south-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://ap-south-1.console.aws.amazon.com/ec2/v2/home?region...</a><p><a href="https://me-south-1.console.aws.amazon.com/ec2/v2/home?region=me-south-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://me-south-1.console.aws.amazon.com/ec2/v2/home?region...</a><p><a href="https://sa-east-1.console.aws.amazon.com/ec2/v2/home?region=sa-east-1#Snapshots:visibility=public;ownerAlias=self;sort=desc:startTime" rel="nofollow">https://sa-east-1.console.aws.amazon.com/ec2/v2/home?region=...</a>