Open menu
-->

Enable RDS Copy Tags to Snapshots

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Cost
optimisation

Ensure that your Amazon Relational Database (RDS) instances make use of Copy Tags to Snapshots feature in order to allow tags set on your database instances to be automatically copied to any automated or manual RDS snapshots that are created from these instances. Once the feature is enabled, tags can be copied to all future copies of an AWS RDS snapshot, including cross-region snapshots.

Copying your AWS RDS database instance tags to any automated or manual snapshots taken from your instances, allows you to easily set metadata (including access policies) on your snapshots in order to match the parent instances.

Audit

To determine if your RDS instances have Copy Tags to Snapshots feature enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Instances.

04 Select the RDS database instance that you want to examine.

05 Click Instance Actions button from the dashboard top menu and select See Details.

06 On the Details panel, within Configuration section, check the value set for the Copy tags to snapshots attribute. If the Copy tags to snapshots configuration attribute value is set to No, the feature with the same name is not currently enabled for the selected Amazon RDS database instance.

07 Repeat steps no. 4 – 6 to verify the Copy Tags to Snapshots feature status for other database instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-instances command (OSX/Linux/UNIX) using custom query filters to list the names (identifiers) of all RDS database instances available in the selected AWS region:

aws rds describe-db-instances
	--region us-east-1
	--output table
	--query 'DBInstances[*].DBInstanceIdentifier'

02 The command output should return a table with the requested database identifiers:

------------------------
|  DescribeDBInstances |
+----------------------+
|  cc—mysql-main-db    |
|  cc-sql-upgraded-db  |
+----------------------+

03 Execute again describe-db-instances command (OSX/Linux/UNIX) using the database instance name returned at the previous step as identifier and custom query filters to get the current value set for the CopyTagsToSnapshot configuration attribute:

aws rds describe-db-instances
	--region us-east-1
	--db-instance-identifier cc—mysql-main-db
	--query 'DBInstances[*].CopyTagsToSnapshot'

04 The command output should return the Boolean value requested:

[
    false
]
If the CopyTagsToSnapshot attribute value is set to false, as shown in the example above, the feature is not currently enabled for the selected AWS RDS database instance.

05 Repeat step no. 3 and 4 to verify the Copy Tags to Snapshots feature status for other database instances created within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Copy Tags to Snapshots feature for your existing Amazon RDS database instances, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to RDS dashboard at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Instances.

04 Select the database instance that you want to reconfigure (see Audit section part I to identify the right RDS resource).

05 Click Instance Actions button from the dashboard top menu and select Modify.

06 On the Modify DB Instance: <instance_name> configuration page, perform the following actions:

  1. Within Database options section, select Yes next to Copy tags to snapshots to turn on Copy Tags to Snapshots feature for the selected instance.
  2. Once the setting is made, click Continue.
  3. On the Summary of Modifications panel, review the configuration changes, then from Scheduling of Modifications panel select whether to apply the changes immediately or apply them during the next scheduled maintenance window.
  4. Click Modify DB Instance to start the instance configuration update process if Apply immediately option was chosen or to schedule the process for the next maintenance window if Apply during the next scheduled maintenance window option was selected.

07 Repeat steps no. 4 – 6 to enable Copy Tags to Snapshots feature for other AWS RDS instances available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-instance command (OSX/Linux/UNIX) using the name of the AWS RDS instance that you want to reconfigure as parameter (see Audit section part II to identify the right resource) to update its configuration and enable Copy Tags to Snapshots feature. The following command example applies the configuration changes immediately by using the --apply-immediately command parameter:

aws rds modify-db-instance
	--region us-east-1
	--db-instance-identifier cc—mysql-main-db
	--copy-tags-to-snapshot
	--apply-immediately

02 The command output should return the modified RDS database instance metadata:

{
    "DBInstance": {
        "PubliclyAccessible": true,
        "MonitoringInterval": 0,
        "LicenseModel": "general-public-license",
        "InstanceCreateTime": "2017-03-17T13:05:58.053Z",
        "CopyTagsToSnapshot": true,
        "PendingModifiedValues": {},
        "Engine": "mysql",
        "MultiAZ": false,
        "PerformanceInsightsEnabled": false,
        "AutoMinorVersionUpgrade": true,
        "PreferredBackupWindow": "11:45-12:15",
 
        ...
        
        "DBInstanceStatus": "available",
        "IAMDatabaseAuthenticationEnabled": false,
        "EngineVersion": "5.6.27",
        "AvailabilityZone": "us-east-1a",
        "DomainMemberships": [],
        "StorageType": "gp2",
        "CACertificateIdentifier": "rds-ca-2015",
        "StorageEncrypted": false,
        "DBInstanceClass": "db.m3.medium",
        "DbInstancePort": 0,
        "DBInstanceIdentifier": "cc—mysql-main-db"
    }
}

03 Repeat step no. 1 and 2 to enable Copy Tags to Snapshots feature for other Amazon RDS database instances available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Feb 7, 2018