Profile Applicability:

  • Level 2

Description:

Amazon Neptune allows you to copy tags from your Neptune DB clusters to snapshots. Enabling Copy Tags to Snapshots ensures that all tags applied to the Neptune DB cluster are automatically applied to snapshots. This helps maintain consistent tagging, which is critical for cost allocation, access control, and resource management.

Rationale:

  • Consistent Tagging: Ensures that snapshots inherit tags from the source cluster, aiding in resource tracking and cost allocation.

  • Access Control: Helps maintain security policies that rely on resource tagging (e.g., IAM policies based on tags).

  • Automation: Facilitates automated backup management and cost tracking for snapshots.

Impact:

  • Pros:

    • Streamlined cost tracking and resource management.

    • Simplifies access control based on tags.

    • Enhances automation for backup management.

  • Cons:

    • None significant; copying tags is a best practice with minimal impact.

Default Value:

  • Copy Tags to Snapshots is disabled by default when creating a Neptune DB cluster.

Pre-Requisite:

  • AWS IAM permissions:

    • neptune:DescribeDBClusters

    • neptune:ModifyDBCluster

    • neptune:ListTagsForResource

  • AWS CLI installed and configured.

  • Access to the AWS Management Console.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Neptune service.

   

  1. In the left navigation pane, select Databases → DB Clusters.

     

  1. Select the Neptune DB cluster you want to check.

   

  1. Under the Configuration tab, look for Copy Tags to Snapshots.

    • Pass: If Copy Tags to Snapshots is enabled.

    • Fail: If Copy Tags to Snapshots is disabled.

Using AWS CLI:

List Neptune DB Clusters:

aws neptune describe-db-clusters --region <region> --query 'DBClusters[*].DBClusterIdentifier'

Check Copy Tags to Snapshots Setting:

aws neptune describe-db-clusters --region <region> \

--query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,CopyTagsToSnapshot:CopyTagsToSnapshot}'

Example output:

[

  {

    "DBClusterIdentifier": "my-neptune-cluster",

    "CopyTagsToSnapshot": false

  }

]

  • Pass: If "CopyTagsToSnapshot": true.

  • Fail: If "CopyTagsToSnapshot": false.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Neptune.

       

  1. Go to DB Clusters and select the cluster to modify.

   

  1. Click on Modify Cluster.

   

  1. In the Backup section, check the box for Copy Tags to Snapshots.

  1. Review your changes and click Continue.

     

  1. Select Apply Immediately or schedule the changes during the next maintenance window.

  1. Click Modify Cluster.

Using AWS CLI:

Enable Copy Tags to Snapshots:

aws neptune modify-db-cluster \

--db-cluster-identifier <db-cluster-identifier> \

--copy-tags-to-snapshot \

--apply-immediately \

--region <region>

Verify the Changes:

aws neptune describe-db-clusters --region <region> \

--query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,CopyTagsToSnapshot:CopyTagsToSnapshot}'

The expected output:

[

  {

    "DBClusterIdentifier": "my-neptune-cluster",

    "CopyTagsToSnapshot": true

  }
]

Backout Plan:

If enabling Copy Tags to Snapshots causes any unintended issues, you can disable it:

  1. Go to Amazon Neptune → DB Clusters.

  2. Select the cluster and choose Modify Cluster.

  3. Uncheck the Copy Tags to Snapshots option.

  4. Apply the changes immediately or during the next maintenance window.

References:

  1. Amazon Neptune Documentation

  2. AWS CLI Neptune Documentation

  3. Managing Amazon Neptune DB Clusters