Immediately make the snapshot private: modify-db-snapshot-attribute --attribute-name restore --values-to-remove all (or the cluster-snapshot equivalent). Audit who restored or copied it while it was public and treat the exposure as an incident. Share future snapshots only with named account IDs, never the all group. Add an SCP denying ModifyDBSnapshotAttribute with restore=all so it cannot recur.

Compliance Critical severity

AWS Security Hub · RDS

RDS.1: An RDS snapshot is shared publicly

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub RDS.1 check?

RDS.1 checks whether a manual RDS snapshot is shared publicly. It reports FAILED the moment a snapshot's restore attribute contains the special group all, which makes it restorable by any AWS account. It covers manual snapshots of RDS instances, Aurora, Neptune, and DocumentDB clusters; automated system snapshots cannot be shared and are out of scope.

Why does RDS.1 matter?

A snapshot is a complete, restorable copy of a database — every row, every PII field, as it stood when taken. A public snapshot hands over the data itself, not just an endpoint behind credentials: anyone who restores it gets a fully working database with your customers' records inside. There is no authentication gate once all is on the restore attribute. The downstream costs are GDPR/HIPAA penalties, breach notification, and legal exposure. The correct count for this finding is zero, always.

How do I fix RDS.1?

Immediately make the snapshot private: modify-db-snapshot-attribute --attribute-name restore --values-to-remove all (or the cluster-snapshot equivalent).
Audit who restored or copied it while it was public and treat the exposure as an incident.
Share future snapshots only with named account IDs, never the all group.
Add an SCP denying ModifyDBSnapshotAttribute with restore=all so it cannot recur.

Remediation script · bash

# Set a 7-day backup floor on production databases below it (skip read replicas).
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?ReadReplicaSourceDBInstanceIdentifier==`null` && BackupRetentionPeriod<`7`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --backup-retention-period 7 --no-apply-immediately
done

# Turn on DynamoDB point-in-time recovery (instant, no downtime).
aws dynamodb update-continuous-backups --table-name prod-orders \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Stop any snapshot in the account from being shared publicly, ever.
aws ec2 enable-snapshot-block-public-access --state block-all-sharing

Full walkthrough (console steps, edge cases and verification) in the lesson Configure backups and retention.

Is RDS.1 a false positive?

Sharing a snapshot with specific named account IDs is legitimate and does not fail RDS.1 — only the all group does. The gotcha is the console "Share snapshot" dialog set to Public instead of Private as a quick favour to a partner or personal account.

Full lesson Configure backups and retention Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for RDS controls ↗ Check your own account for RDS.1 →

Part of the learning path Lock down access

RDS.2 An RDS instance is publicly accessible from the internet
RDS.3 RDS DB instances should be encrypted at rest
RDS.4 RDS snapshots should be encrypted at rest
RDS.5 RDS DB instances should use multiple AZs
RDS.6 RDS lacks enhanced monitoring
RDS.7 RDS clusters should have deletion protection
RDS.8 RDS DB instances should have deletion protection
RDS.9 RDS engine logs are not shipped to CloudWatch
RDS.10 RDS relies on long-lived database passwords
RDS.11 RDS instances should have automatic backups
RDS.12 IAM auth should be configured for RDS clusters
RDS.13 RDS is not receiving automatic minor security patches