Prevent EBS snapshots from becoming public

[KevinHock]

Encryption makes this unnecessary, but for completeness.

From the ec2:ModifySnapshotAttribute docs:

# Example
This example makes the snap-1234567890abcdef0 snapshot public, and gives the account with ID 111122223333 permission to create volumes from the snapshot.

# Sample Request
https://ec2.amazonaws.com/?Action=ModifySnapshotAttribute
&SnapshotId=snap-1234567890abcdef0
&CreateVolumePermission.Add.1.UserId=111122223333
&CreateVolumePermission.Add.1.Group=all
&AUTHPARAMS

[KevinHock]

Maybe impossible? cc @jdyke

aws:ResourceTag/${TagKey}
ec2:Owner
ec2:ParentVolume
ec2:Region
ec2:ResourceTag/${TagKey}
ec2:SnapshotTime
ec2:VolumeSize

from the condition keys https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

🤔

[mikefuller]

@KevinHock, I have been doing some investigating on this and I'm not sure we can quite do what you are looking for. It is possible to create an SCP that prevents all snapshot permission modifications using a null check on the ec2:Attribute/CREATE_VOLUME_PERMISSION condition.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DenyEbsPublicSnapshot",
			"Effect": "Deny",
			"Action": "ec2:ModifySnapshotAttribute",
			"Resource": "arn:aws:ec2:*::snapshot/*",
			"Condition": {
				"Null": {
					"ec2:Attribute/CREATE_VOLUME_PERMISSION": "true"
				}
			}
		}
	]
}

This allows us to filter on someone attempting to make any permission change. But there is no condition key available that I can find to filter on the Group=all attribute value that would limit the deny statement to only Public sharing modifications. I think in most cases you wouldn't want to filter out all permission changes because it may be entirely legitimate to share a volume with another account.

If you have any other ideas definitely let us know and we can try them out.

[KevinHock]

Makes sense, thank you @mikefuller !!