Skip to content

Neptune DB clusters should be configured to copy tags to snapshots

Identifier

neptune-enable-copy-tags-to-snapshots

Category

Identify > Inventory > Tagging

Description

This control checks whether Amazon Neptune clusters have copy tags to snapshots enabled. When enabled, all tags from the cluster are automatically copied to any manual or automated snapshots. This helps maintain consistent metadata between the cluster and its backups, aiding in cost allocation, access control, and organization.

The setting is controlled via copy_tags_to_snapshot = true in the Terraform aws_neptune_cluster resource.

Non Compliant Example

Terraform
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
resource "aws_neptune_cluster" "foo" {
  cluster_identifier                  = "foo"
  engine                              = "neptune"
  storage_encrypted                   = true
  kms_key_arn                         = kms_key_arn
  deletion_protection                 = true
  backup_retention_period             = 5
  preferred_backup_window             = "07:00-09:00"
  iam_database_authentication_enabled = true
  availability_zones                  = ["us-east-1a", "us-east-1b"]
  skip_final_snapshot                 = true
  copy_tags_to_snapshot               = false
}

Remediation

To ensure tags are copied to snapshots, set copy_tags_to_snapshot = true:

Terraform
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
resource "aws_neptune_cluster" "foo" {
  cluster_identifier                  = "foo"
  engine                              = "neptune"
  storage_encrypted                   = true
  kms_key_arn                         = kms_key_arn
  deletion_protection                 = true
  backup_retention_period             = 5
  preferred_backup_window             = "07:00-09:00"
  iam_database_authentication_enabled = true
  availability_zones                  = ["us-east-1a", "us-east-1b"]
  skip_final_snapshot                 = true
  copy_tags_to_snapshot               = true
}

Extra Resources