Tags Not Copied to RDS Cluster Snapshot
- Query id: 9c30655c-f9a1-4296-b365-53c0bba80c76
- Query name: Tags Not Copied to RDS Cluster Snapshot
- Platform: CloudFormation
- Severity: Low
- Category: Backup
- CWE: 284
- Risk score: 1.0
- URL: Github
Description¶
Tags of the RDS Cluster should be copied to the respective snapshots to ensure that snapshots retain important metadata for identification, cost allocation, and resource management
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "example",
"Resources": {
"MyDBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "my-db-instance",
"Engine": "mysql",
"DBInstanceClass": "db.t3.micro",
"AllocatedStorage": "20",
"CopyTagsToSnapshot": false
},
"DeletionPolicy": "Snapshot"
},
"MyDBCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"DBClusterIdentifier": "my-db-cluster",
"Engine": "aurora-mysql",
"CopyTagsToSnapshot": false
}
}
}
}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: example
Resources:
MyDBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: my-db-instance
Engine: mysql
DBInstanceClass: db.t3.micro
AllocatedStorage: '20'
CopyTagsToSnapshot: false
DeletionPolicy: Snapshot
MyDBCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: my-db-cluster
Engine: aurora-mysql
CopyTagsToSnapshot: false
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "example",
"Resources": {
"MyDBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "my-db-instance",
"Engine": "mysql",
"DBInstanceClass": "db.t3.micro",
"AllocatedStorage": "20",
"CopyTagsToSnapshot": "false"
},
"DeletionPolicy": "Snapshot"
},
"MyDBCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"DBClusterIdentifier": "my-db-cluster",
"Engine": "aurora-mysql",
"CopyTagsToSnapshot": "false"
}
}
}
}
Positive test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: example
Resources:
MyDBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: my-db-instance
Engine: mysql
DBInstanceClass: db.t3.micro
AllocatedStorage: '20'
CopyTagsToSnapshot: "false"
DeletionPolicy: Snapshot
MyDBCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: my-db-cluster
Engine: aurora-mysql
CopyTagsToSnapshot: "false"
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "example",
"Resources": {
"MyDBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "my-db-instance",
"Engine": "mysql",
"DBInstanceClass": "db.t3.micro",
"AllocatedStorage": "20"
},
"DeletionPolicy": "Snapshot"
},
"MyDBCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"DBClusterIdentifier": "my-db-cluster",
"Engine": "aurora-mysql"
}
}
}
}
Positive test num. 6 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: example
Resources:
MyDBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: my-db-instance
Engine: mysql
DBInstanceClass: db.t3.micro
AllocatedStorage: '20'
DeletionPolicy: Snapshot
MyDBCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: my-db-cluster
Engine: aurora-mysql
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: example
Resources:
MyDBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: my-db-instance
Engine: mysql
DBInstanceClass: db.t3.micro
AllocatedStorage: '20'
CopyTagsToSnapshot: true
DeletionPolicy: Snapshot
MyDBCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: my-db-cluster
Engine: aurora-mysql
CopyTagsToSnapshot: true
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "example",
"Resources": {
"MyDBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "my-db-instance",
"Engine": "mysql",
"DBInstanceClass": "db.t3.micro",
"AllocatedStorage": "20",
"CopyTagsToSnapshot": true
},
"DeletionPolicy": "Snapshot"
},
"MyDBCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"DBClusterIdentifier": "my-db-cluster",
"Engine": "aurora-mysql",
"CopyTagsToSnapshot": true
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: example
Resources:
MyDBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: my-db-instance
Engine: mysql
DBInstanceClass: db.t3.micro
AllocatedStorage: '20'
CopyTagsToSnapshot: "true"
DeletionPolicy: Snapshot
MyDBCluster:
Type: AWS::RDS::DBCluster
Properties:
DBClusterIdentifier: my-db-cluster
Engine: aurora-mysql
CopyTagsToSnapshot: "true"
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "example",
"Resources": {
"MyDBInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "my-db-instance",
"Engine": "mysql",
"DBInstanceClass": "db.t3.micro",
"AllocatedStorage": "20",
"CopyTagsToSnapshot": "true"
},
"DeletionPolicy": "Snapshot"
},
"MyDBCluster": {
"Type": "AWS::RDS::DBCluster",
"Properties": {
"DBClusterIdentifier": "my-db-cluster",
"Engine": "aurora-mysql",
"CopyTagsToSnapshot": "true"
}
}
}
}