EC2 setting 'Block public access for EBS snapshots' should be enabled and enforced by declarative policy

Description

Enabling the EC2 setting ‘Block public access for EBS snapshots’ ensures that EBS snapshots cannot accidentally be shared publicly. This setting helps avoid inadvertent data exposure by preventing unauthorised users from accessing EBS snapshots containing sensitive information. Note: This setting is configured at a per-account, per-region level. The setting can be configured as either ‘Block all sharing’ or ‘Block new sharing’ depending on your requirements.

Enforcing this EC2 setting using AWS Organizations declarative policies provides an additional layer of protection, as the setting must be configured centrally from the organization management account or a delegated administator account.

Remediation

For guidance on enabling this EC2 setting, refer to the Block public access for Amazon EBS snapshots section of the Amazon EBS User Guide. For guidance on modifying public access permissions for existing EBS snapshots, refer to the Share an Amazon EBS snapshot with other AWS accounts section of the Amazon EBS User Guide. For guidance on managing declarative policies, refer to the Declarative policies section of the AWS Organizations User Guide.