Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Aurora Cluster Copy Tags to Snapshots

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RDS-042

Ensure that your Amazon Aurora database clusters make use of Copy Tags to Snapshots feature in order to allow tags set on your Aurora database clusters to be automatically copied to any automated or manual snapshots that are created from these clusters. Once the feature is enabled, tags can be copied to all future copies of an Amazon Aurora snapshots, including cross-region snapshots.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence

Copying your Amazon Aurora database cluster tags to any automated or manual snapshots taken from your database clusters allows you to easily set metadata (including access policies) on your snapshots in order to match the parent clusters.


Audit

To determine if your Amazon Aurora database clusters have Copy Tags to Snapshots feature enabled, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the left navigation panel, under Amazon RDS, click Databases.

04 Click on the name (link) of the Aurora database cluster that you want to examine. To identify Aurora clusters, check the database engine type available in the Engine column (i.e. Aurora MySQL or Aurora PostgreSQL).

05 Select the Maintenance & backups tab and check the Copy tags to snapshots configuration attribute value. If the Copy tags to snapshots value is set to Disabled, the Copy Tags to Snapshots feature is not enabled for the selected Amazon Aurora database cluster.

06 Repeat steps no. 4 and 5 for each Amazon Aurora database cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-db-clusters command (OSX/Linux/UNIX) with custom query filters to list the names of the Aurora database clusters available in the selected AWS cloud region:

aws rds describe-db-clusters
  --region us-east-1
  --output table
  --query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'

02 The command output should return a table with the requested Aurora cluster names:

--------------------------------
|      DescribeDBClusters      |
+------------------------------+
|  cc-aurora-mysql-cluster     |
|  cc-aurora-postgres-cluster  |
+------------------------------+

03 Run describe-db-clusters command (OSX/Linux/UNIX) using the name of the Amazon Aurora cluster that you want to examine as the identifier parameter and custom query filters to describe the configuration status of the Copy Tags to Snapshots feature available for the selected database cluster:

aws rds describe-db-clusters
  --region us-east-1
  --db-cluster-identifier cc-aurora-mysql-cluster
  --query 'DBClusters[*].CopyTagsToSnapshot'

04 The command output should return the feature status (true for enabled, false for disabled):

[
    false
]

If the describe-db-clusters command output returns false, as shown in the output example above, the Copy Tags to Snapshots feature is not enabled for the selected Amazon Aurora database cluster.

05 Repeat steps no. 3 and 4 for each Amazon Aurora database cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable Copy Tags to Snapshots feature for your existing Amazon Aurora database clusters, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Copy Tags to Snapshots For Aurora Cluster",
	"Parameters": {
		"Username": {
			"Type": "String"
		},
		"Password": {
			"Type": "String",
			"NoEcho" : "true"
		},
	},
	"Resources": {
		"RDSCluster": {
			"Type": "AWS::RDS::DBCluster",
			"Properties": {
				"DBClusterIdentifier": "cc-new-aurora-mysql-cluster",
				"DatabaseName" : "auroradb",
				"MasterUsername": {
					"Ref": "Username"
				},
				"MasterUserPassword": {
					"Ref": "Password"
				},
				"Engine": "aurora",
				"DBSubnetGroupName": "default",
				"CopyTagsToSnapshot": true
			}
		},
		"ClusterDBInstance1": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"Engine": "aurora",
				"DBSubnetGroupName": "default",
				"DBClusterIdentifier": {
					"Ref": "RDSCluster"
				},
				"PubliclyAccessible": "true",
				"DBInstanceClass": "db.t2.small"
			}
		},
		"ClusterDBInstance2": {
			"Type": "AWS::RDS::DBInstance",
			"Properties": {
				"Engine": "aurora",
				"DBSubnetGroupName": "default",
				"DBClusterIdentifier": {
					"Ref": "RDSCluster"
				},
				"PubliclyAccessible": "true",
				"DBInstanceClass": "db.t2.small"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Copy Tags to Snapshots For Aurora Cluster
	Parameters:
		Username:
		Type: String
		Password:
		Type: String
		NoEcho: 'true'
	Resources:
		RDSCluster:
		Type: AWS::RDS::DBCluster
		Properties:
			DBClusterIdentifier: cc-new-aurora-mysql-cluster
			DatabaseName: auroradb
			MasterUsername: !Ref 'Username'
			MasterUserPassword: !Ref 'Password'
			Engine: aurora
			DBSubnetGroupName: default
			CopyTagsToSnapshot: true
		ClusterDBInstance1:
		Type: AWS::RDS::DBInstance
		Properties:
			Engine: aurora
			DBSubnetGroupName: default
			DBClusterIdentifier: !Ref 'RDSCluster'
			PubliclyAccessible: 'true'
			DBInstanceClass: db.t2.small
		ClusterDBInstance2:
		Type: AWS::RDS::DBInstance
		Properties:
			Engine: aurora
			DBSubnetGroupName: default
			DBClusterIdentifier: !Ref 'RDSCluster'
			PubliclyAccessible: 'true'
			DBInstanceClass: db.t2.small

Using Terraform

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_rds_cluster_instance" "rds-cluster-instances" {
	count              = 2
	identifier         = "cc-aurora-mysql-cluster-${count.index}"
	cluster_identifier = aws_rds_cluster.rds-cluster.id
	instance_class     = "db.t2.small"
	engine             = aws_rds_cluster.rds-cluster.engine
	engine_version     = aws_rds_cluster.rds-cluster.engine_version
}

resource "aws_rds_cluster" "rds-cluster" {
	cluster_identifier      = "cc-aurora-mysql-cluster"
	engine                  = "aurora-mysql"
	engine_version          = "5.7.mysql_aurora.2.10.2"
	availability_zones      = ["us-east-1a", "us-east-1b"]
	database_name           = "auroradb"
	master_username         = "aurorausr"
	master_password         = "aurorapasswd"

	# Enable Copy Tags to Snapshots For Aurora Cluster
	copy_tags_to_snapshot = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon RDS console at https://console.aws.amazon.com/rds/.

03 In the navigation panel, under Amazon RDS, choose Databases.

04 Select the Aurora database cluster that you want to reconfigure and choose Modify.

05 On the Modify DB cluster: <cluster-name> configuration page, perform the following actions:

  1. In the Additional configuration section, under Backup, select the Copy tags to snapshots checkbox to enable the Copy Tags to Snapshots feature for the selected Aurora database cluster.
  2. Choose Continue and review the configuration changes that you want to apply, available in the Summary of modifications section.
  3. In the Scheduling of modifications section, perform one of the following actions based on your workload requirements:
    • Select Apply during the next scheduled maintenance window to apply the changes automatically during the next scheduled maintenance window.
    • Select Apply immediately to apply the changes right away. With this option any pending modifications will be asynchronously applied as soon as possible, regardless of the maintenance window configured for the selected Aurora database cluster. Note that any changes available in the pending modifications queue are also applied. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora application.
  4. Choose Modify cluster to apply the configuration changes.

06 Repeat steps no. 4 and 5 for each Aurora database cluster that you want to reconfigure, available in the selected AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-db-cluster command (OSX/Linux/UNIX) to enable the Copy Tags to Snapshots feature for the selected Amazon Aurora database cluster by adding the --copy-tags-to-snapshot parameter to the command request. The following command request example makes use of --apply-immediately parameter to apply the configuration changes asynchronously and as soon as possible. Any changes available in the pending modifications queue are also applied with this request. If any of the pending modifications require downtime, choosing this option can cause unexpected downtime for your Aurora database application. If you skip adding the --apply-immediately parameter to the command request, Amazon Aurora will apply your changes during the next maintenance window:

aws rds modify-db-cluster
  --region us-east-1
  --db-cluster-identifier cc-aurora-mysql-cluster
  --copy-tags-to-snapshot
  --apply-immediately

02 The command output should return the configuration metadata for the modified database cluster:

{
	"DBCluster": {
		"MasterUsername": "ccadmin",
		"ReaderEndpoint": "cc-aurora-mysql-cluster.cluster-ro-abcd1234abcd.us-east-1.rds.amazonaws.com",
		"HttpEndpointEnabled": false,
		"ReadReplicaIdentifiers": [],
		"VpcSecurityGroups": [
			{
				"Status": "active",
				"VpcSecurityGroupId": "sg-abcd1234"
			}
		],
		"CopyTagsToSnapshot": true,
		"HostedZoneId": "ABCDABCDABCD",
		"EngineMode": "provisioned",
		"Status": "available",
		"MultiAZ": false,
		"LatestRestorableTime": "2021-05-20T10:11:46.810Z",
		"DomainMemberships": [],
		"PreferredBackupWindow": "04:32-05:02",
		"DBSubnetGroup": "default-vpc-abcd1234",
		"AllocatedStorage": 1,
		"BackupRetentionPeriod": 1,
		"PreferredMaintenanceWindow": "fri:03:50-fri:04:20",
		"Engine": "aurora-mysql",
		"Endpoint": "cc-aurora-mysql-cluster.cluster-abcd1234abcd.us-east-1.rds.amazonaws.com",
		"AssociatedRoles": [],
		"EarliestRestorableTime": "2021-05-20T08:58:40.190Z",
		"CrossAccountClone": false,
		"IAMDatabaseAuthenticationEnabled": false,
		"ClusterCreateTime": "2021-05-20T08:57:41.089Z",
		"EngineVersion": "5.7.mysql_aurora.2.07.2",
		"DeletionProtection": false,
		"DBClusterIdentifier": "cc-aurora-mysql-cluster",
		"DbClusterResourceId": "cluster-ABCDABCDABCDABCDABCDABCD",
		"DBClusterMembers": [
			{
				"IsClusterWriter": true,
				"DBClusterParameterGroupStatus": "in-sync",
				"PromotionTier": 1,
				"DBInstanceIdentifier": "cc-aurora-mysql-cluster-instance-1"
			}
		],
		"DBClusterArn": "arn:aws:rds:us-east-1:123456789012:cluster:cc-aurora-mysql-cluster",
		"StorageEncrypted": false,
		"DatabaseName": "",
		"DBClusterParameterGroup": "default.aurora-mysql5.7",
		"AvailabilityZones": [
			"us-east-1c",
			"us-east-1B",
			"us-east-1a"
		],
		"Port": 3306
	}
}

03 Repeat steps no. 1 and 2 for each Aurora database cluster that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Dec 30, 2020

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Aurora Cluster Copy Tags to Snapshots

Risk Level: High