This content is part of the Essential Guide: An admin's guide to AWS data management

New RDS snapshot sharing raises cloud security concerns

AWS added features such as an EC2 Run Command and the ability to share RDS snapshot data between accounts -- giving some users reason for concern about security.

RDS snapshot data can now be shared between AWS accounts and also publicly, prompting security worries for some users.

RDS snapshot sharing, made available by Amazon Web Services (AWS) last month, included the statement that RDS snapshot data can be marked by the user as public, "so that any RDS user can restore a database containing your data."

Amazon touted this as a way to easily share research data with business partners, but some IT professionals worry about unintended consequences with the feature.

"Cross-account snapshot sharing does look like a great resource to make it easier to share data," said Aaron Robertson, technical analyst at Distributed Information Technologies Inc., an IT professional services company based in Arlington, Va. "What worries me is that it introduces another avenue for businesses to leak sensitive data."

After using AWS for some time, Robertson said he has noticed people continually probe AWS resources for security lapses.

Seeing that an AWS user could easily mark sensitive data as public, this could potentially lead to some serious security breaches.
Aaron Robertsontechnical analyst, Distributed Information Technologies

"Seeing that an AWS user could easily mark sensitive data as public, this could potentially lead to some serious security breaches," Robertson said.

AWS has, however, added some safeguards to make clear the risks when users mark an RDS snapshot as public. In the user interface, there is a message with a checkbox that states: "I agree that by clicking 'save' my data will be available to all users." This was done so customers only do this intentionally.

To prevent a particular user or set of users from sharing RDS snapshots, customers can also specify an IAM policy to restrict certain users from being able to share snapshots while still retaining the ability to perform other RDS actions. If a customer wants to detect that a user has shared a snapshot -- even if they removed the shared snapshot after the fact -- the customer can either check the current snapshot attributes using the RDS API or use AWS CloudTrail to detect modifications to a particular snapshot.

One of the best uses for this feature would be to create a data schema in a development account, then snapshot it and share it with the production account, said Adam Book, senior cloud architect for Relus Technologies LLC, a cloud consulting firm in Peachtree Corners, Ga.

However, security was also top of mind for Book as he explored the new feature.

"An important thing to note is that this only works with unencrypted instances ... since different accounts would use different encryption keys [from] the [key management system]," Book said.

Snapshot sharing is free and works across regions, but does not apply to the China (Beijing) region or to AWS GovCloud (US).

New EC2 Run Command 'nice to have'

Among other incremental updates to AWS is new support on the Elastic Compute Cloud (EC2) for a Windows-based Run Command, Amazon's answer to the Remote Desktop Protocol for remote access to instances for efficient administration. However, Amazon claims in its blog this feature is easier to use and more secure than Remote Desktop Protocol.  

"I can see us using this functionality, especially on some of our EC2 instances that require maintenance tasks -- running the same command across multiple instances just became a lot easier," said Kevin Felichko, CTO of, an online auction company based in Frederick, Md. "It is a nice feature to have."

Consultants also felt their clients would be interested in the new EC2 Run Command.

"It will be very useful for system administrators and will remove quite a bit of the grunt work in performing upgrades and making changes to multiple servers," said Daniel Heacock, a consultant with c3/consulting, an IT consulting and managed services firm in Nashville, Tenn. 

Still, it might be best avoided by IT shops that want to avoid AWS lock-in, according to Heacock.

"Essentially this allows the admin to move more of the administration and monitoring burden into the AWS console, which could be seen as part of Amazon's ploy to increase vendor dependency," he said.

Customers can use Run Command today in the US East (Northern Virginia), US West (Oregon), and Europe (Ireland) regions. The feature is free of charge.  

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.

Next Steps

Advantages of Amazon RDS vs. a personal relational database

Aurora takes AWS databases to the next level

How to automate AWS EBS snapshot recovery

Dig Deeper on AWS security