Configure block public access for Amazon EBS snapshots

Enable block public access for snapshots to prevent the public sharing of snapshots in the Region. After this feature is enabled, requests to publicly share snapshots in the Region are blocked.

Important

Enabling block public access for snapshots in block all sharing mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.

If you later disable block public access or change the mode to block new sharing, these snapshots will become publicly available again.

Console

To configure block public access for snapshots

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose EC2 Dashboard, and then in Account attributes (on the right-hand side), choose Data protection and security.
In the Block public access for EBS snapshots section, choose Manage.
Select Block public access and then choose one of the following options:
- Block all public access — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
- Block new public sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
Choose Update.

AWS CLI

To enable or modify block public access for snapshots

Use the enable-snapshot-block-public-access command. For --state specify one of the following values:

block-all-sharing — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
block-new-sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

To enable or modify block public access for snapshots for a specific Region


aws ec2 enable-snapshot-block-public-access \
--state block-all-sharing|block-new-sharing \
--region us-east-1

Example output


{
    "State": "block-new-sharing"
}

To enable or modify block public access for snapshots for all Regions


echo -e "Region   \t Public Access State" ; \
echo -e "-------------- \t ----------------------" ; \
for region in $(
    aws ec2 describe-regions \
        --region us-east-1 \
        --query "Regions[*].[RegionName]" \
        --output text
    ); 
    do (output=$(
        aws ec2 enable-snapshot-block-public-access \
            --region $region \
            --state block-all-sharing|block-new-sharing \
            --output text)
        echo -e "$region \t $output" 
    );
done

Example output


Region           Public Access State
--------------   ----------------------
ap-south-1       block-new-sharing
eu-north-1       block-new-sharing
eu-west-3        block-new-sharing
…

Tools for PowerShell

To enable or modify block public access for snapshots

Use the Enable-EC2SnapshotBlockPublicAccess command. For -State specify one of the following values:

block-all-sharing — To block all public sharing of your snapshots. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are no longer publicly available.
block-new-sharing — To block only new public sharing of your snapshots. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.

To enable or modify block public access for snapshots for a specific Region


Enable-EC2SnapshotBlockPublicAccess `
-Region us-east-1 `
-State block-new-sharing | block-all-sharing

Example output


Value
-----
block-new-sharing

To enable or modify block public access for snapshots for all Regions


(Get-EC2Region -Region us-east-1).RegionName | `
    ForEach-Object {
    [PSCustomObject]@{
        Region            = $_
        PublicAccessState = (
            Enable-EC2SnapshotBlockPublicAccess `
                -Region $_ `
                -State block-new-sharing | block-all-sharing)
    }
} | `
Format-Table -AutoSize

Example output


Region         PublicAccessState
------         -----------------
ap-south-1     block-new-sharing
eu-north-1     block-new-sharing
eu-west-3      block-new-sharing
...

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM permissions

View block public access setting