Exposure Scanner Scan My Account
Exposure Scanner / Amazon EBS

EBS Volume and Snapshot Exposure

Are your EBS snapshots shared publicly or with unauthorized accounts?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
snap-0a1b2c3d4e5f6a7b8
EBS snapshot is shared publicly - any AWS account can copy and mount the volume data
High
snap-09d8c7b6a5e4f3d2
Unencrypted EBS snapshot of production database volume shared with external account
Medium
snap-01a2b3c4d5e6f7a8
EBS snapshot shared with AWS account no longer in the organization

What does Amazon EBS public exposure mean?

EBS snapshots can be shared publicly or with specific AWS accounts. A public snapshot means anyone with an AWS account can copy your snapshot, create a volume from it, and read all the data.

Why it matters

EBS volumes often contain operating system data, application code, databases, credentials, and configuration files. A publicly shared snapshot is equivalent to handing someone a copy of your hard drive.

How to check manually

  1. 1Open EC2 console → Snapshots and filter for "Public" sharing
  2. 2Review snapshot permissions for unexpected account IDs
  3. 3Check for unencrypted snapshots containing sensitive data
  4. 4Audit automated snapshot sharing policies

Quick check with AWS CLI

Find publicly shared EBS snapshots owned by your account
aws ec2 describe-snapshots --owner-ids self --query "Snapshots[].SnapshotId" --output text | xargs -I {} aws ec2 describe-snapshot-attribute --snapshot-id {} --attribute createVolumePermission --query "CreateVolumePermissions[?Group=='all']" 2>/dev/null
List all snapshots and their encryption status
aws ec2 describe-snapshots --owner-ids self --query "Snapshots[].{Id:SnapshotId,VolumeId:VolumeId,Encrypted:Encrypted,Size:VolumeSize}" --output table
Check sharing permissions for a specific snapshot
aws ec2 describe-snapshot-attribute --snapshot-id YOUR_SNAPSHOT_ID --attribute createVolumePermission

Common misconfigurations

Snapshot permissions set to Public instead of Private
Snapshots shared with accounts no longer in your organization
Unencrypted snapshots of production volumes
Automated backup policies creating public snapshots

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon EC2
Are your EC2 instances accessible from the internet through open security groups?
AWS KMS
Are your encryption keys accessible from outside your account?
AWS IAM
Are your IAM policies granting access more broadly than intended?