Enable block public access for snapshots - Amazon EBS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable block public access for snapshots

Use the following procedures to configure and monitor block public access for snapshots.

Configure block public access for snapshots

Enable block public access for snapshots to prevent the public sharing of snapshots in the Region. After this feature is enabled, requests to publicly share snapshots in the Region are blocked.

Important

If block public access for snapshots is enabled in block all sharing mode, and you change the mode to block new sharing, all snapshots that were previously publicly shared are no longer treated as private and they become publicly accessible again.

Console
To configure block public access for snapshots
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose EC2 Dashboard, and then in Account attributes (on the right-hand side), choose Data protection and security.

  3. In the Block public access for EBS snapshots section, choose Manage.

  4. Select Block public access and then choose one of the following options:

    • Block all public access — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.

    • Block new public sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

  5. Choose Update.

Amazon CLI
To enable or modify block public access for snapshots

Use the enable-snapshot-block-public-access command. For --state specify one of the following values:

  • block-all-sharing — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.

  • block-new-sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

To enable or modify block public access for snapshots for a specific Region

aws ec2 enable-snapshot-block-public-access \ --state block-all-sharing|block-new-sharing \ --region us-east-1

Example output

{ "State": "block-new-sharing" }

To enable or modify block public access for snapshots for all Regions

echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 enable-snapshot-block-public-access \ --region $region \ --state block-all-sharing|block-new-sharing \ --output text) echo -e "$region \t $output" ); done

Example output

Region Public Access State -------------- ---------------------- ap-south-1 block-new-sharing eu-north-1 block-new-sharing eu-west-3 block-new-sharing …
Tools for PowerShell
To enable or modify block public access for snapshots

Use the Enable-EC2SnapshotBlockPublicAccess command. For -State specify one of the following values:

  • block-all-sharing — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.

  • block-new-sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

To enable or modify block public access for snapshots for a specific Region

Enable-EC2SnapshotBlockPublicAccess ` -Region us-east-1 ` -State block-new-sharing | block-all-sharing

Example output

Value ----- block-new-sharing

To enable or modify block public access for snapshots for all Regions

(Get-EC2Region -Region us-east-1).RegionName | ` ForEach-Object { [PSCustomObject]@{ Region = $_ PublicAccessState = ( Enable-EC2SnapshotBlockPublicAccess ` -Region $_ ` -State block-new-sharing | block-new-sharing) } } | ` Format-Table -AutoSize

Example output

Region PublicAccessState ------ ----------------- ap-south-1 block-new-sharing eu-north-1 block-new-sharing eu-west-3 block-new-sharing ...

View the setting for block public access for snapshots

Block public access can be in one of the following states for each Region in your account.

  • Block all sharing — All public sharing of your snapshots is blocked. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are not publicly available.

  • Block new sharing — Only new public sharing of your snapshots is blocked. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

  • Unblocked — Public sharing is not blocked. Users can publicly share snapshots.

Console
To view the setting for block public access for snapshots
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose EC2 Dashboard, and then in Account attributes (on the right-hand side), choose Data protection and security.

  3. The Block public access for EBS snapshots section shows the current setting.

Amazon CLI
To view the setting for block public access for snapshots

Use the get-snapshot-block-public-access-state command.

  • For a specific Region

    aws ec2 get-snapshot-block-public-access-state --region us-east-1

    Example output

    { "State": "unblocked" }
  • For all Regions

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 get-snapshot-block-public-access-state \ --region $region \ --output text) echo -e "$region \t $output" ); done

    Example output

    Region Public Access State -------------- ---------------------- ap-south-1 unblocked eu-north-1 unblocked eu-west-3 unblocked
Tools for Windows PowerShell
To view the setting for block public access for snapshots

Use the Get-EC2SnapshotBlockPublicAccessState command.

  • For a specific Region

    Get-EC2SnapshotBlockPublicAccessState -Region us-east-1

    Example output

    Value ----- block-new-sharing
  • For all Regions

    (Get-EC2Region -Region us-east-1).RegionName | ` ForEach-Object { [PSCustomObject]@{ Region = $_ PublicAccessState = (Get-EC2SnapshotBlockPublicAccessState -Region $_) } } | ` Format-Table -AutoSize

    Example output

    Region Public Access State -------------- ---------------------- ap-south-1 unblocked eu-north-1 unblocked eu-west-3 unblocked ...

Disable block public access for snapshots

Disable block public access for snapshots to allow public sharing of snapshots in the Region. After this feature is disabled, users can publicly share snapshots in the Region.

Important

If block public access for snapshots is enabled in block all sharing mode, and you disable block public access, all snapshots that were previously publicly shared are no longer treated as private and they become publicly accessible again.

Console
To disable block public access for snapshots
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose EC2 Dashboard, and then in Account attributes (on the right-hand side), choose Data protection and security.

  3. In the Block public access for EBS snapshots section, choose Manage.

  4. Clear Block public access and choose Update.

Amazon CLI
To disable block public access for snapshots

Use the disable-snapshot-block-public-access command.

  • For a specific Region

    aws ec2 disable-snapshot-block-public-access --region us-east-1

    Example output

    { "State": "unblocked" }
  • For all Regions

    echo -e "Region \t Public Access State" ; \ echo -e "-------------- \t ----------------------" ; \ for region in $( aws ec2 describe-regions \ --region us-east-1 \ --query "Regions[*].[RegionName]" \ --output text ); do (output=$( aws ec2 disable-snapshot-block-public-access \ --region $region \ --output text) echo -e "$region \t $output" ); done

    Example output

    Region Public Access State -------------- ---------------------- ap-south-1 unblocked eu-north-1 unblocked eu-west-3 unblocked
Tools for Windows PowerShell
To disable block public access for snapshots

Use the Disable-EC2SnapshotBlockPublicAccess command.

  • For a specific Region

    Disable-EC2SnapshotBlockPublicAccess -Region us-east-1

    Example output

    Value ----- unblocked
  • For all Regions

    (Get-EC2Region -Region us-east-1).RegionName | ` ForEach-Object { [PSCustomObject]@{ Region = $_ PublicAccessState = (Disable-EC2SnapshotBlockPublicAccess -Region $_) } } | ` Format-Table -AutoSize

    Example output

    Region PublicAccessState ------ ----------------- ap-south-1 unblocked eu-north-1 unblocked eu-west-3 unblocked ...