Profile Applicability:

  • Level 1

Description:

In Amazon RDS, when you create snapshots of DB clusters, it is essential to copy the tags associated with the RDS instance to the snapshot to ensure that the snapshot retains the metadata related to the DB cluster. Copying tags to snapshots allows for better organization, management, and governance of RDS snapshots, and it simplifies tracking and compliance for backup management and resource tagging.

This SOP ensures that the copy tags to snapshots option is enabled for RDS DB clusters so that any snapshots taken for these clusters automatically retain the tags assigned to the original RDS DB clusters.

Rationale:

  • Governance: Tags help you categorize and manage AWS resources effectively. If snapshots inherit the same tags as the original DB cluster, it ensures proper identification, reporting, and cost allocation.

  • Operational Efficiency: Automatically copying tags reduces manual effort and ensures consistency in resource management, making it easier to manage snapshots.

  • Compliance: Many compliance frameworks (e.g., SOC 2, PCI-DSS) require that backups (including snapshots) are tracked and managed with appropriate metadata such as tags.

  • Security: Tags can be used for access control (e.g., ensuring that snapshots are accessible only by authorized users or services).

Impact:

Pros:

  • Improved Management: Enables more efficient management of snapshots by associating them with the original DB cluster’s tags.

  • Consistency: Ensures that all RDS snapshots are consistently tagged, which helps with tracking and auditing.

  • Operational Visibility: Provides better visibility into your AWS resources and simplifies tasks like billing and cost management by leveraging tags.

Cons:

  • Configuration Overhead: Enabling the feature requires initial configuration, though it’s a one-time setup per DB cluster.

  • Potential for Tagging Errors: If tags are not correctly assigned to the DB clusters, they may propagate incorrectly to the snapshots.

Default Value:

By default, RDS DB clusters do not have the "copy tags to snapshots" option enabled. This setting must be explicitly configured when creating or modifying the DB cluster.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:ModifyDBCluster

    • rds:CreateDBClusterSnapshot

  • AWS CLI installed and configured.

  • Ensure that the RDS DB cluster has tags assigned before enabling the option to copy tags.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon RDS under Services.

  3. In the RDS Dashboard, go to Databases and select the DB cluster for which you want to check the "copy tags to snapshots" setting.

  4. Under the Modify section, look for the Copy Tags to Snapshots setting.

    • If this option is enabled, it will be checked.

    • If this option is disabled, you will need to enable it.

  5. If disabled, check the box for Copy Tags to Snapshots, then save changes.

Using AWS CLI:

  1. To check if copy tags to snapshots is enabled, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,CopyTagsToSnapshots:CopyTagsToSnapshots}'

  2. Review the output:

  • If CopyTagsToSnapshots is true, the option is enabled.

  • If false, the option is not enabled.

  1. To enable copy tags to snapshots, run:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --copy-tags-to-snapshots --apply-immediately

  2. Verify the change:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,CopyTagsToSnapshots:CopyTagsToSnapshots}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon RDS.

  2. In the RDS Dashboard, select Databases and click the DB cluster for which you want to enable the feature.

  3. Click Modify in the Cluster Details section.

  4. In the Backup section, check the Copy Tags to Snapshots option.

  5. Click Continue and then Apply Changes to save the configuration.

Using AWS CLI:

  1. To enable copy tags to snapshots, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --copy-tags-to-snapshots --apply-immediately

  2. Verify the configuration:

    aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier,CopyTagsToSnapshots:CopyTagsToSnapshots}'

Backout Plan:

Using AWS Console:

  1. If enabling Copy Tags to Snapshots causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon RDS, select the DB cluster, and click Modify.

  3. Uncheck the Copy Tags to Snapshots option.

  4. Save the changes, and the feature will be disabled for future snapshots.

Using AWS CLI:

  1. To disable Copy Tags to Snapshots, run the following command:

    aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --no-copy-tags-to-snapshots --apply-immediately

  2. Verify that Copy Tags to Snapshots has been disabled:

    aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.