Skip to main content
emnode / learn
Compliance Critical severity

AWS Security Hub · EC2

EC2.182: A public EBS snapshot exposes an entire disk

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.182 check?

EC2.182 checks the account-level EBS Snapshot Block Public Access (BPA) toggle and fails the account in any region where it is set to unblocked. BPA is a regional switch with three modes — unblocked, block-new-sharing, and block-all-sharing — that overrides per-snapshot createVolumePermission settings.

Why does EC2.182 matter?

A public EBS snapshot is the entire disk, restorable by any AWS account on earth — not metadata, the whole filesystem. Per-snapshot sharing is one API call away (modify-snapshot-attribute Add Group=all) and too easy to misuse, so BPA is the single regional switch that prevents the mistake account-wide, exactly like S3 Block Public Access.

How do I fix EC2.182?

  1. Audit existing public snapshots first with describe-snapshots --owner-ids self --restorable-by-user-ids all in every region — BPA does not retroactively un-share them.
  2. Remove the all group from any already-public snapshot with modify-snapshot-attribute.
  3. Enable BPA in every region: block-all-sharing if you have no cross-account snapshot copies, block-new-sharing if you have known DR or pipeline flows.
  4. Add an SCP denying ec2:DisableSnapshotBlockPublicAccess and the AWS Config rule ec2-ebs-snapshot-block-public-access.

Remediation script · bash

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing

Full walkthrough (console steps, edge cases and verification) in the lesson Configure backups and retention.

Is EC2.182 a false positive?

block-all-sharing also blocks legitimate cross-account sharing to specific trusted account IDs, which breaks DR snapshot-copy workflows. If you rely on those, block-new-sharing is the correct mode — it still passes the control while preserving sharing to known accounts.

Full lesson Configure backups and retention Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.182 →
Part of the learning path Lock down access

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.10 EC2 API traffic leaves the VPC over the internet
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.14 RDP (port 3389) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances