Logo of Trend Micro

Enable Aurora Cluster Copy Tags to Snapshots

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: RDS-042

Ensure that your Amazon Aurora database clusters make use of Copy Tags to Snapshots feature in order to allow tags set on your Aurora database clusters to be automatically copied to any automated or manual snapshots that are created from these clusters. Once the feature is enabled, tags can be copied to all future copies of an Amazon Aurora snapshots, including cross-region snapshots.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Operational
excellence

Copying your Amazon RDS Aurora cluster tags to any automated or manual snapshots taken from your database clusters allows you to easily set metadata (including access policies) on your snapshots in order to match the parent clusters.

Audit

To determine if your Amazon Aurora clusters have Copy Tags to Snapshots feature enabled, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Databases.

04 Click on the name (link) of the Aurora database cluster that you want to examine. To identify Aurora clusters, check the engine type available in the Engine column (e.g. Aurora MySQL).

Show or Hide Item Details

05 On the selected cluster details page, select the Maintenance & backups tab, and check the Copy tags to snapshots configuration attribute value. If the attribute value is set to Disabled, the Copy Tags to Snapshots feature is not enabled for the selected Amazon Aurora database cluster.

06 Repeat step no. 4 and 5 to verify the feature status for other Aurora database clusters provisioned within the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) with custom query filters to list the names of all Amazon Aurora database clusters available in the selected AWS region: 

aws rds describe-db-clusters
	--region us-east-1
	--output table
	--query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'

02 The command output should return a table with the requested cluster names: 

--------------------------------
|      DescribeDBClusters      |
+------------------------------+
|  cc-aurora-mysql-cluster     |
|  cc-aurora-postgres-cluster  |
+------------------------------+

03 Execute describe-db-clusters command (OSX/Linux/UNIX) using the name of the database cluster that you want to examine as identifier parameter and custom query filters to describe the Copy Tags to Snapshots feature status available for the selected Amazon Aurora cluster: 

aws rds describe-db-clusters
	--region us-east-1
	--db-cluster-identifier cc-aurora-mysql-cluster
	--query 'DBClusters[*].CopyTagsToSnapshot'

04 The command output should return the requested feature status (true for enabled, false for disabled): 

[
    false
]

If describe-db-clusters command output returns false, as shown in the output example above, the Copy Tags to Snapshots feature is not enabled for the selected Amazon Aurora database cluster.

05 Repeat step no. 3 and 4 to check the feature status for other Aurora clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Copy Tags to Snapshots feature for your existing Amazon Aurora database clusters, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Databases.

04 Select the Aurora database cluster that you want to reconfigure (see Audit section part I to identify the right RDS resource) and choose Modify.

05 On the Modify DB cluster: <cluster-name> configuration page, perform the following actions:

  1. In the Additional configuration section, select Copy tags to snapshots checkbox to enable Copy Tags to Snapshots feature for the selected database cluster.
  2. Choose Continue to continue the modification process.
  3. On the Summary of modifications panel, review the configuration changes. In the Scheduling of modifications section, select whether to apply the changes immediately (asynchronously and as soon as possible) or apply them during the next scheduled maintenance window.
  4. Choose Modify cluster to apply the configuration changes.

06 Repeat step no. 4 and 5 to enable Copy Tags to Snapshots feature for other Aurora clusters deployed in the current AWS region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable Copy Tags to Snapshots feature for the selected Amazon Aurora database cluster (see Audit section part II to identify the right resource) by adding the --copy-tags-to-snapshot configuration parameter to the command request. The following command example make use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora-based application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window: 

aws rds modify-db-cluster
	--region us-east-1
	--db-cluster-identifier cc-aurora-mysql-cluster
	--copy-tags-to-snapshot
	--apply-immediately

02 The command output should return the configuration metadata for the modified database cluster: 

{
    "DBCluster": {
        "Status": "available",
        "MultiAZ": false,
        "PreferredBackupWindow": "05:07-05:37",
        "DBSubnetGroup": "default",
        "BackupRetentionPeriod": 7,
        "Engine": "aurora",
        "IAMDatabaseAuthenticationEnabled": false,
        "ClusterCreateTime": "2020-12-17T15:00:00.100Z",
        "EngineVersion": "5.7.mysql_aurora.2.07.2",

        ...

        "CopyTagsToSnapshot": true,
        "DeletionProtection": true,
        "DBClusterIdentifier": "cc-aurora-mysql-cluster",
        "DbClusterResourceId": "cluster-AAAABBBBCCCCDDDDAAAABBBBCD",
        "DBClusterMembers": [],
        "StorageEncrypted": true,
        "DBClusterParameterGroup": "default.aurora-mysql5.7",
        "AvailabilityZones": [
            "us-east-1a",
            "us-east-1b"
        ],
        "Port": 3306
    }
}

03 Repeat step no. 1 and 2 to enable Copy Tags to Snapshots feature for other Aurora database clusters available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Dec 30, 2020

Related RDS rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Aurora Cluster Copy Tags to Snapshots

Risk level: High