🛡️ AWS RDS Cluster is not configured to copy all tags to snapshots🟢

• Contextual name: 🛡️ Cluster is not configured to copy all tags to snapshots🟢
• ID: /ce/ca/aws/rds/cluster-copy-tags-to-snapshot
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Cluster
  • 🔌 AWS RDS Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots

Description

Open File

Description

This policy identifies AWS RDS Clusters that are not configured to copy resource tags to their snapshots. When this setting is enabled, snapshots automatically inherit the tags applied to their parent RDS cluster resources.

Rationale

RDS snapshots incur ongoing storage costs. If snapshots do not inherit key tags such as Department or Project, it becomes difficult to accurately allocate and track these costs in billing and cost-management reports.

Many organizations rely on tags to classify and protect sensitive data (for example, DataClassification: Restricted). When tags are not copied to snapshots, backups may be excluded from automated security controls, monitoring processes, or data retention policies.

Additionally, IAM policies frequently use tag-based conditions (for example, aws:ResourceTag/...) to enforce access controls. Ensuring that tags are consistently applied to both primary database resources and their snapshots helps maintain uniform security permissions.

Audit

This policy flags an AWS RDS Cluster as INCOMPLIANT when the Copy Tags to Snapshot setting is set to false.

... see more

Remediation

Open File

Remediation

Enable Copy Tags to Snapshot for an RDS Cluster

To ensure that RDS snapshots consistently inherit the same tags as their parent database clusters, enable the Copy Tags to Snapshot setting. This helps maintain consistent cost allocation, data classification, and access control across both active database resources and their backups.

This configuration change can be applied at the cluster level and affects all future snapshots created for the cluster.

From Command Line

Use the following AWS CLI command to enable tag propagation to snapshots for the specified RDS cluster:

aws rds modify-db-cluster \
    --db-cluster-identifier {{db-cluster-id}} \
    --copy-tags-to-snapshot \
    --apply-immediately

Considerations

• This setting applies only to snapshots created after the configuration change; existing snapshots are not updated.
• The change does not require downtime and can be applied immediately.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.16] RDS DB clusters should be configured to copy tags to snapshots			1		no data
💼 Cloudaware Framework → 💼 System Configuration			69		no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47		no data
💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22		no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency			22		no data