# Block public access for Amazon EBS snapshots
<a name="block-public-access-snapshots"></a>

To prevent public sharing of your snapshots, you can enable *block public access for snapshots*. After you enable block public access for snapshots in a Region, any attempt to publicly share snapshots in that Region is automatically blocked. This can help you to improve the security of your snapshots and to protect your snapshot data from unauthorized or unintended access.

Block public access for snapshots can be enabled in one of two modes:
+ **Block all sharing** — Blocks all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ **Block new sharing** — Blocks only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

**Considerations**

Keep the following in mind when working with block public access for snapshots.
+ Block public access for snapshots does not prevent private snapshot sharing.
+ Enabling block public access for snapshots in *block all sharing* mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.

  If you later disable block public access or change the mode to *block new sharing*, these snapshots will become publicly available again.
+ Block public access for snapshots is a Regional setting. It applies to all snapshots in the Region in which it is enabled. You need to enable block public access for snapshots in each Region in which you want to prevent the public sharing of your snapshots.
+ Block public access is an account-level setting. It applies to all users, including administrator users, in the account. You can't enable block public access for snapshots at the organization level.
+ The block public access setting is configured either directly in the account or by using a declarative policy. Using a declarative policy allows you to apply the setting across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the setting directly within an account. This topic describes how to configure the setting directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.
+ Block public access for snapshots does not prevent the public sharing of EBS-backed AMIs. If you enable block public access for snapshots, users can still publicly share EBS-backed AMIs. If an EBS-backed AMI is publicly shared, users with access to that AMI can create volumes from its associated snapshots. To prevent public sharing of your AMIs, enable *[ block public access for AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html#block-public-access-to-amis)*.
+ Block public access for snapshots is not supported with local snapshots on AWS Outposts.

**Pricing**  
Block public access for snapshots can be enabled at no additional cost.

**Contents**
+ [IAM permissions](block-public-access-snapshots-perms.md)
+ [Configure block public access](block-public-access-snapshots-enable.md)
+ [View block public access setting](block-public-access-snapshots-view.md)
+ [Disable block public access](block-public-access-snapshots-disable.md)
+ [Monitor block public access](block-public-access-snapshots-events.md)

# IAM permissions for block public access for Amazon EBS snapshots
<a name="block-public-access-snapshots-perms"></a>

By default, users don't have permission to work with block public access for snapshots. To allow users to work with block public access for snapshots, you must create IAM policies that grant permission to use specific API actions. Once the policies are created, you must add permissions to your users, groups, or roles.

To work with block public access for snapshots, users need the following permissions.
+ `ec2:EnableSnapshotBlockPublicAccess` — Enable block public access for snapshots and modify the mode.
+ `ec2:DisableSnapshotBlockPublicAccess` — Disable block public access for snapshots.
+ `ec2:GetSnapshotBlockPublicAccessState` — View the block public access for snapshots setting for a Region.

The following is an example IAM policy. If some permissions are not needed, you can remove them from the policy.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "ec2:EnableSnapshotBlockPublicAccess",
            "ec2:DisableSnapshotBlockPublicAccess",
            "ec2:GetSnapshotBlockPublicAccessState"
        ],
        "Resource": "*"
    }]
}
```

------

To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

# Configure block public access for Amazon EBS snapshots
<a name="block-public-access-snapshots-enable"></a>

Enable block public access for snapshots to prevent the public sharing of snapshots in the Region. After this feature is enabled, requests to publicly share snapshots in the Region are blocked.

**Important**  
Enabling block public access for snapshots in *block all sharing* mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.  
If you later disable block public access or change the mode to *block new sharing*, these snapshots will become publicly available again.

**Note**  
This setting is configured at the account level, either directly in the account or by using a declarative policy. It must be configured in each AWS Region where you want to prevent the public sharing of snapshots. Using a declarative policy allows you to apply the setting across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the setting directly within an account. This topic describes how to configure the setting directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.

------
#### [ Console ]

**To configure block public access for snapshots**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, choose **EC2 Dashboard**, and then in **Account attributes** (on the right-hand side), choose **Data protection and security**.

1. In the **Block public access for EBS snapshots** section, choose **Manage**.

1. Select **Block public access** and then choose one of the following options:
   + **Block all public access** — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
   + **Block new public sharing** — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

1. Choose **Update**.

------
#### [ AWS CLI ]

**To enable or modify block public access for snapshots**  
Use the [enable-snapshot-block-public-access](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-snapshot-block-public-access.html) command. For `--state` specify one of the following values:
+ `block-all-sharing` — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ `block-new-sharing` — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

**To enable or modify block public access for snapshots for a specific Region**

```
aws ec2 enable-snapshot-block-public-access \
    --state block-new-sharing \
    --region us-east-1
```

The following is example output.

```
{
    "State": "block-new-sharing"
}
```

**To enable or modify block public access for snapshots for all Regions**

```
echo -e "Region   \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
    aws ec2 describe-regions \
        --region us-east-1 \
        --query "Regions[*].[RegionName]" \
        --output text
    ); 
    do (output=$(
        aws ec2 enable-snapshot-block-public-access \
            --region $region \
            --state block-new-sharing \
            --output text)
        echo -e "$region \t $output" 
    );
done
```

The following is example output.

```
Region           Public Access State
--------------   ----------------------
ap-south-1       block-new-sharing
eu-north-1       block-new-sharing
eu-west-3        block-new-sharing
...
```

------
#### [ PowerShell ]

**To enable or modify block public access for snapshots**  
Use the [ Enable-EC2SnapshotBlockPublicAccess](https://docs.aws.amazon.com/powershell/latest/reference/items/Enable-EC2SnapshotBlockPublicAccess.html) command. For `-State` specify one of the following values:
+ `block-all-sharing` — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
+ `block-new-sharing` — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

**To enable or modify block public access for snapshots for a specific Region**

```
Enable-EC2SnapshotBlockPublicAccess `
    -Region us-east-1 `
    -State block-new-sharing
```

The following is example output.

```
Value
-----
block-new-sharing
```

**To enable or modify block public access for snapshots for all Regions**

```
(Get-EC2Region -Region us-east-1).RegionName | `
    ForEach-Object {
    [PSCustomObject]@{
        Region            = $_
        PublicAccessState = (
            Enable-EC2SnapshotBlockPublicAccess `
                -Region $_ `
                -State block-new-sharing)
    }
} | Format-Table -AutoSize
```

The following is example output.

```
Region         PublicAccessState
------         -----------------
ap-south-1     block-new-sharing
eu-north-1     block-new-sharing
eu-west-3      block-new-sharing
...
```

------

# View the block public access setting for Amazon EBS snapshots
<a name="block-public-access-snapshots-view"></a>

Block public access can be in one of the following states for each Region in your account.
+ **Block all sharing** — All public sharing of your snapshots is blocked. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are not publicly available.
+ **Block new sharing** — Only new public sharing of your snapshots is blocked. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
+ **Unblocked** — Public sharing is not blocked. Users can publicly share snapshots.

------
#### [ Console ]

**To view the setting for block public access for snapshots**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, choose **EC2 Dashboard**, and then in **Account attributes** (on the right-hand side), choose **Data protection and security**.

1. The **Block public access for EBS snapshots** section shows the current setting.

------
#### [ AWS CLI ]

**To view the setting for block public access for snapshots**  
Use the [get-snapshot-block-public-access-state](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-snapshot-block-public-access-state.html) command.
+ For a specific Region

  ```
  aws ec2 get-snapshot-block-public-access-state
  ```

  In this example output, the `ManagedBy` field indicates the entity that configured the setting and `account` indicates that the setting was configured directly in the account. A value of `declarative-policy` would mean the setting was configured by a declarative policy. For more information, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.

  ```
  {
      "State": "unblocked",
      "ManagedBy": "account"
  }
  ```
+ For all Regions

  ```
  echo -e "Region   \t Public Access State" ; \
  echo -e "-------------- \t ----------------------" ; \
  for region in $(
      aws ec2 describe-regions \
          --region us-east-1 \
          --query "Regions[*].[RegionName]" \
          --output text
      ); 
      do (output=$(
          aws ec2 get-snapshot-block-public-access-state \
              --region $region \
              --output text)
          echo -e "$region \t $output" 
      );
  done
  ```

  The following is example output.

  ```
  Region           Public Access State
  --------------   ----------------------
  ap-south-1       unblocked
  eu-north-1       unblocked
  eu-west-3        unblocked
  ```

------
#### [ PowerShell ]

**To view the setting for block public access for snapshots**  
Use the [ Get-EC2SnapshotBlockPublicAccessState](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-EC2SnapshotBlockPublicAccessState.html) cmdlet.
+ For a specific Region

  ```
  Get-EC2SnapshotBlockPublicAccessState -Region us-east-1
  ```

  The following is example output.

  ```
  Value
  -----
  block-new-sharing
  ```
+ For all Regions

  ```
  (Get-EC2Region -Region us-east-1).RegionName | `
      ForEach-Object {
      [PSCustomObject]@{
          Region            = $_
          PublicAccessState = (Get-EC2SnapshotBlockPublicAccessState -Region $_)
      }
  } | Format-Table -AutoSize
  ```

  The following is example output.

  ```
  Region           Public Access State
  --------------   ----------------------
  ap-south-1       unblocked
  eu-north-1       unblocked
  eu-west-3        unblocked
  ...
  ```

------

# Disable block public access for Amazon EBS snapshots
<a name="block-public-access-snapshots-disable"></a>

Disable block public access for snapshots to allow public sharing of snapshots in the Region. After this feature is disabled, users can publicly share snapshots in the Region.

**Important**  
Enabling block public access for snapshots in *block all sharing* mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.  
If disable block public access, these snapshots will become publicly available again.

**Note**  
This setting is configured at the account level, either directly in the account or by using a declarative policy. It must be configured in each AWS Region where you want to allow the public sharing of snapshots. Using a declarative policy allows you to apply the setting across multiple Regions simultaneously, as well as across multiple accounts simultaneously. When a declarative policy is in use, you can't modify the setting directly within an account. This topic describes how to configure the setting directly within an account. For information about using declarative policies, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the *AWS Organizations User Guide*.

------
#### [ Console ]

**To disable block public access for snapshots**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, choose **EC2 Dashboard**, and then in **Account attributes** (on the right-hand side), choose **Data protection and security**.

1. In the **Block public access for EBS snapshots** section, choose **Manage**.

1. Clear **Block public access** and choose **Update**.

------
#### [ AWS CLI ]

**To disable block public access for snapshots**  
Use the [disable-snapshot-block-public-access](https://docs.aws.amazon.com/cli/latest/reference/ec2/disable-snapshot-block-public-access.html) command.
+ For a specific Region

  ```
  aws ec2 disable-snapshot-block-public-access --region us-east-1
  ```

  The following is example output.

  ```
  {
      "State": "unblocked"
  }
  ```
+ For all Regions

  ```
  echo -e "Region   \t Public Access State" ; \
  echo -e "-------------- \t ----------------------" ; \
  for region in $(
      aws ec2 describe-regions \
          --region us-east-1 \
          --query "Regions[*].[RegionName]" \
          --output text
      ); 
      do (output=$(
          aws ec2 disable-snapshot-block-public-access \
              --region $region \
              --output text)
          echo -e "$region \t $output" 
      );
  done
  ```

  The following is example output.

  ```
  Region           Public Access State
  --------------   ----------------------
  ap-south-1       unblocked
  eu-north-1       unblocked
  eu-west-3        unblocked
  ```

------
#### [ PowerShell ]

**To disable block public access for snapshots**  
Use the [ Disable-EC2SnapshotBlockPublicAccess](https://docs.aws.amazon.com/powershell/latest/reference/items/Disable-EC2SnapshotBlockPublicAccess.html) cmdlet.
+ For a specific Region

  ```
  Disable-EC2SnapshotBlockPublicAccess -Region us-east-1
  ```

  The following is example output.

  ```
  Value
  -----
  unblocked
  ```
+ For all Regions

  ```
  (Get-EC2Region -Region us-east-1).RegionName | `
      ForEach-Object {
      [PSCustomObject]@{
          Region            = $_
          PublicAccessState = (Disable-EC2SnapshotBlockPublicAccess -Region $_)
      }
  } | `
  Format-Table -AutoSize
  ```

  The following is example output.

  ```
  Region         PublicAccessState
  ------         -----------------
  ap-south-1     unblocked
  eu-north-1     unblocked
  eu-west-3      unblocked
  ...
  ```

------

# Monitor block public access for Amazon EBS snapshots using EventBridge
<a name="block-public-access-snapshots-events"></a>

Amazon EBS emits events related to block public access for snapshots. You can use AWS Lambda and Amazon EventBridge to handle event notifications programmatically. Events are emitted on a best effort basis. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html).

The following events are emitted:
+ Enable block public access for snapshots in block all sharing mode

  ```
  {
    "version": "0",
    "id": "01234567-0123-0123-0123-012345678901",
    "detail-type": "EBS Snapshot Block Public Access Enabled",
    "source": "aws.ec2",
    "account": "123456789012",
    "time": "2019-05-31T21:49:54Z",
    "region": "us-east-1",
    "detail": { 
      "SnapshotBlockPublicAccessState": "block-all-sharing",
      "message": "Block Public Access was successfully enabled in 'block-all-sharing' mode"
    }
  }
  ```
+ Enable block public access for snapshots in block new sharing mode

  ```
  {
    "version": "0",
    "id": "01234567-0123-0123-0123-012345678901",
    "detail-type": "EBS Snapshot Block Public Access Enabled",
    "source": "aws.ec2",
    "account": "123456789012",
    "time": "2019-05-31T21:49:54Z",
    "region": "us-east-1",
    "detail": { 
      "SnapshotBlockPublicAccessState": "block-new-sharing",
      "message": "Block Public Access was successfully enabled in 'block-new-sharing' mode"
    }
  }
  ```
+ Disable block public access for snapshots

  ```
  {
    "version": "0",
    "id": "01234567-0123-0123-0123-012345678901",
    "detail-type": "EBS Snapshot Block Public Access Disabled",
    "source": "aws.ec2",
    "account": "123456789012",
    "time": "2019-05-31T21:49:54Z",
    "region": "us-east-1",
    "detail": { 
      "SnapshotBlockPublicAccessState": "unblocked",
      "message": "Block Public Access was successfully disabled"
    }
  }
  ```