AWS-DocumentDB-cluster-snapshots-are-private

Severity: High

Description: This controls ensures that no Document DB Cluster Snapshot is shared publicly. AWS Document DB Cluster manual snapshots can be shared privately with other AWS accounts or can be made public. Public snapshots can be accessed by anyone in the world from the same AWS account or from any other AWS account. Sharing snapshots can lead to leakage of sensitive data as it any unwanted/unauthorized AWS user can access the snapshot.

Remediation Steps:

Perform following to update DocumentDB cluster visibility:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to DocumentDB console.

3. In the Navigation pane, choose Snapshots.

4. Select the snapshot that is shared.

5. Click Actions button, select Share Snapshot option.

6. Under Preferences, select DB snapshot visibility as Private.

7. Check the Delete check box corresponding to the entry with AWS Account ID as all.

8. Click Save button.

Important:

Reference:

• https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore-share_cluster_snapshots.html