CPM may fail to set the "cpm_deleted" tag to RDS Snapshots
When performing a cross-account DR Copy of RDS snapshots, using a DR account with “Allow Deleting Snapshots” as False, the RDS snapshots that have exceeded the retention policy, will not have the “cpm_deleted” tag.
You will also see the following error in the cpm_agent.log and agent_error.log:
User/user_name_here is not authorized to perform: rds:AddTagsToResource on resource: arn:aws:rds:regionnamehere:snapshot:backuppolicynamehere-db-datehere', u'Code': u'AccessDenied'
The AWS account specified for DR copy of RDS snapshots does not have the correct permissions to assign tags.
Please add this permission to the DR AWS account: