Profile Applicability:

  • Level 1

Description:

Amazon RDS allows you to associate tags with your database instances to organize and manage them more easily. When you enable the "Copy Tags to Snapshots" feature for RDS DB instances, any tags that are assigned to the DB instance are automatically copied to the associated snapshots. This ensures that your snapshots are tagged consistently, making it easier to identify and manage them in the future. This SOP ensures that RDS DB instances have the copy tags to snapshots option enabled to maintain proper resource tagging across snapshots.

Rationale:

  • Better Management: Enabling tag copy to snapshots ensures that snapshots are tagged with the same metadata as their associated DB instances, making it easier to manage resources, track usage, and automate processes.

  • Improved Organization: Helps maintain consistent tagging practices across the organization for cost allocation, resource identification, and reporting.

  • Compliance: Many compliance standards require good resource management practices, including proper tagging of resources for tracking and auditing purposes.

Impact:

Pros:

  • Improved Resource Organization: Tags are copied automatically, improving the consistency and ease of managing DB snapshots.

  • Easier Auditing and Tracking: Tags on snapshots help track usage, ownership, and purpose for better resource tracking.

  • Simplifies Automation: Allows for easier automation of processes such as backups, reporting, or cost allocation.

Cons:

  • Tagging Management: Requires careful management of tags to ensure that they are accurate and up to date for both DB instances and their snapshots.

  • Complexity in Large Environments: For organizations with many DB instances and snapshots, enabling this feature across all instances could add to the complexity of resource management.

Default Value:

By default, RDS DB instances do not have "Copy Tags to Snapshots" enabled. You must manually enable this feature during instance creation or by modifying the instance.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBInstances

    • rds:ModifyDBInstance

    • rds:CreateDBInstance

  • AWS CLI installed and configured.

  • Ensure that you have appropriate permissions to modify DB instances and manage tags.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the DB instance you want to check.

  4. In the Configuration tab, scroll to the Tags section:

    • Copy Tags to Snapshots should be set to Yes if enabled.

    • If it's set to No, tags are not copied to snapshots.

  5. If Copy Tags to Snapshots is not enabled, click Modify and enable the Copy Tags to Snapshots option under Settings.

  6. Save the changes and verify that tags are now copied to snapshots for that instance.

Using AWS CLI:

  1. To check if Copy Tags to Snapshots is enabled for an RDS DB instance, run the following command:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,CopyTagsToSnapshot:CopyTagsToSnapshot}'

  2. Review the output:

  • If CopyTagsToSnapshot is true, the tags are being copied to snapshots.

  • If CopyTagsToSnapshot is false, tags are not being copied to snapshots.

  1. To enable Copy Tags to Snapshots, run:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --copy-tags-to-snapshot --apply-immediately

  2. Verify the setting:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,CopyTagsToSnapshot:CopyTagsToSnapshot}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and choose the DB instance for which you want to enable Copy Tags to Snapshots.

  3. Click Modify.

  4. Under the Settings section, enable Copy Tags to Snapshots.

  5. Click Continue, then Apply Changes.

Using AWS CLI:

  1. To enable Copy Tags to Snapshots for an RDS DB instance, run:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --copy-tags-to-snapshot --apply-immediately

  2. Verify that Copy Tags to Snapshots is enabled by running:

    aws rds describe-db-instances --query 'DBInstances[*].{DBInstanceIdentifier:DBInstanceIdentifier,CopyTagsToSnapshot:CopyTagsToSnapshot}'

Backout Plan:

Using AWS Console:

  1. If enabling copy tags to snapshots causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB instance, and click Modify.

  3. Disable the Copy tags to snapshots option.

  4. Save the changes and verify that the tags are no longer being copied to snapshots.

Using AWS CLI:

  1. To disable copy tags to snapshots, run the following command:

    aws rds modify-db-instance --db-instance-identifier <DB_INSTANCE_ID> --no-copy-tags-to-snapshots --apply-immediately

  2. Verify that copy tags to snapshots is now disabled:

    aws rds describe-db-instances --db-instance-identifier <DB_INSTANCE_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.