Aurora MySQL DB clusters have Backtrack configured with a non-zero BacktrackWindow, retaining change records to allow rewinding to a consistent earlier time. Applies to aurora-mysql engines only.
Risk
Without Backtrack, destructive queries or admin mistakes can't be quickly undone, forcing snapshot/point-in-time restores. This increases recovery time, disrupts availability, and risks data integrity from partial restores or rollbacks.
Adversaries who alter data can cause longer impact windows before containment.
prowler aws --checks rds_cluster_backtrack_enabled
Recommendation
Enable Backtrack on Aurora MySQL clusters and set BacktrackWindow to meet RTO while balancing cost and workload. Use it with automated backups for defense in depth and resilience.
For clusters without Backtrack, provision a clone or new cluster with it enabled; monitor usage and adjust the window as change rates evolve.
Remediation
aws rds restore-db-cluster-to-point-in-time --source-db-cluster-identifier <SOURCE_DB_CLUSTER_ID> --db-cluster-identifier <DB_CLUSTER_ID> --use-latest-restorable-time --backtrack-window 3600
- In the AWS Console, go to RDS > Databases and select the Aurora MySQL cluster
- Click Actions > Restore to point in time
- Choose Use latest restorable time
- Set Backtrack window (seconds) to a value > 0 (e.g., 3600)
- Enter a new DB cluster identifier and click Restore DB cluster
- Cut over applications to the new cluster
Source Code
Resource Type
AwsRdsDbCluster
References
- https://docs.aws.amazon.com/config/latest/developerguide/aurora-mysql-backtracking-enabled.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/rds-controls.html#rds-14
- https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/RDS/backtrack.html#