🛡️ AWS RDS Instance is not configured to copy all tags to snapshots🟢
- Contextual name: 🛡️ Instance is not configured to copy all tags to snapshots🟢
- ID:
/ce/ca/aws/rds/instance-copy-tags-to-snapshot - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Logic
Similar Policies
- AWS Security Hub: [RDS.17] RDS DB instances should be configured to copy tags to snapshots
Description
Description
This policy identifies AWS RDS Instances that are not configured to copy instance tags to their snapshots. When this setting is enabled, snapshots automatically inherit the tags applied to their parent RDS database instances.
Rationale
RDS snapshots incur ongoing storage costs. If snapshots do not inherit key tags such as Department or Project, it becomes difficult to accurately allocate and track these costs in billing and cost-management reports.
Many organizations rely on tags to classify and protect sensitive data (for example,
DataClassification: Restricted). When tags are not copied to snapshots, backups may be excluded from automated security controls, monitoring processes, or retention policies.In addition, IAM policies often use tag-based conditions (for example,
aws:ResourceTag/...) to enforce access controls. Ensuring that tags are copied to snapshots helps maintain consistent security permissions between the primary database instance and its backups.Audit
This policy flags an AWS RDS Instance as
INCOMPLIANTwhen theCopy Tags to Snapshotcheckbox is set to false.... see more
Remediation
Remediation
Enable Copy Tags to Snapshot for an RDS Instance
To ensure that RDS snapshots inherit the same tags as their parent database instances, enable the Copy Tags to Snapshot setting. This ensures consistent cost allocation, security classification, and access control across both live databases and their backups.
From Command Line
Use the following AWS CLI command to enable tag propagation to snapshots for the specified RDS instance:
aws rds modify-db-instance \
--db-instance-identifier {{db-instance-id}} \
--copy-tags-to-snapshot \
--apply-immediatelyConsiderations
- Enabling this setting does not affect existing snapshots; it applies only to snapshots created after the change.
- The modification does not require downtime and can be applied immediately.
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.17] RDS DB instances should be configured to copy tags to snapshots | 1 | no data | |||
| 💼 Cloudaware Framework → 💼 System Configuration | 69 | no data | |||
| 💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H) | 22 | no data | |||
| 💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H) | 22 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks | 54 | no data | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency | 22 | no data |