RDS DB instance has copy tags to snapshots enabled
rds_instance_copy_tags_to_snapshots
RDS DB instances are assessed for propagating instance tags to their DB snapshots using CopyTagsToSnapshot.
Aurora engines manage this at the cluster level and aren't evaluated per instance.
Risk
Snapshots without inherited tags lose ownership, environment, and sensitivity context, degrading visibility and governance. Missing metadata weakens ABAC, cost allocation, and lifecycle policies, enabling unintended backup access, orphaned snapshots, and retention drift that impact confidentiality and availability.
prowler aws --checks rds_instance_copy_tags_to_snapshots
Recommendation
Enable CopyTagsToSnapshot on non-Aurora RDS instances so snapshots inherit required metadata. Establish a consistent tag taxonomy and automate enforcement to support least privilege via ABAC, cost tracking, and retention controls. For Aurora, configure tag copy at the cluster level.
Remediation
aws rds modify-db-instance --db-instance-identifier <example_resource_id> --copy-tags-to-snapshot --apply-immediately
- In the AWS Console, go to RDS > Databases and select the non-Aurora DB instance
- Click Modify
- Under Additional configuration, enable Copy tags to snapshots
- Check Apply immediately and click Modify DB instance
Source Code
Resource Type
AwsRdsDbInstance
References
- https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-enable-tags-snapshot-rds-instance.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-17
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/RDS/copy-tags-to-snapshot.html