Control: 48 RDS for MySQL DB clusters should be configured to copy tags to DB snapshots

Description

This control checks whether an Amazon RDS for MySQL DB cluster is configured to automatically copy tags to snapshots of the DB cluster when the snapshots are created. The control fails if the CopyTagsToSnapshot parameter is set to false for the RDS for MySQL DB cluster.

Copying tags to DB snapshots helps maintain proper resource tracking, governance, and cost allocation across backup resources. This enables consistent resource identification, access control, and compliance monitoring across both active databases and their snapshots. Properly tagged snapshots improve security operations by ensuring backup resources inherit the same metadata as their source databases.

Remediation

For information about configuring an Amazon RDS for MySQL DB cluster to automatically copy tags to DB snapshots, see Tagging Amazon RDS resources in the Amazon Relational Database Service User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_rds_48

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_rds_48 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when engine <> 'aurora-mysql' then 'skip'
    when copy_tags_to_snapshot then 'ok'
    else 'alarm'
  end as status,
  case
    when engine <> 'aurora-mysql' then title || ' is of ' || engine || ' type.'
    when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.'
    else title || ' copy tags to snapshot disabled.'
  end as reason
  
  , region, account_id
from
  aws_rds_db_cluster;