🛡️ AWS RDS Aurora Cluster Backtracking is not enabled🟢

• Contextual name: 🛡️ Aurora Cluster Backtracking is not enabled🟢
• ID: /ce/ca/aws/rds/cluster-backtracking
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS RDS Cluster
  • 🔌 AWS RDS Cluster - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [RDS.14] Amazon Aurora clusters should have backtracking enabled

Description

Open File

Description

This policy identifies Amazon Aurora MySQL DB clusters that do not have backtracking enabled.

Aurora backtracking lets administrators rewind a cluster to an earlier point in time within the configured backtrack window. Compared with restoring from a backup, backtracking can provide a faster recovery path for recent operational mistakes such as accidental deletes, incorrect updates, or failed deployment changes.

Rationale

Enabling backtracking strengthens the recovery posture of supported Aurora MySQL workloads by reducing the time and effort required to reverse recent data changes. It complements automated backups by providing an additional recovery option when rapid rollback is needed after an application, administrative, or deployment error.

Impact

Enabling backtracking can increase storage consumption and cost because Aurora retains additional change records for the configured backtrack window. Choose a window that aligns with your recovery objectives, workload change rate, and cost tolerance.

... see more

Remediation

Open File

Remediation

Enable Aurora Backtracking

Update the affected Aurora MySQL DB cluster to set a backtrack window greater than 0 seconds.

From Command Line

Use the following AWS CLI command to enable backtracking for an existing Aurora MySQL DB cluster:

aws rds modify-db-cluster \
    --db-cluster-identifier {{db-cluster-id}} \
    --backtrack-window {{seconds}} \
    --apply-immediately

Set {{seconds}} to a value that matches your recovery requirements. If you prefer to defer the change until the next maintenance window, replace --apply-immediately with --no-apply-immediately.

Considerations

• Backtracking is supported only for Aurora MySQL DB clusters that support this feature.
• A larger backtrack window can increase storage consumption and cost.
• Backtracking supplements automated backups and snapshots; it does not replace long-term backup retention requirements.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.14] Amazon Aurora clusters should have backtracking enabled			1		no data
💼 Cloudaware Framework → 💼 Data Protection and Recovery			23		no data
💼 FedRAMP High Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	3		20		no data
💼 FedRAMP High Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			6		no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)			20		no data
💼 FedRAMP High Security Controls → 💼 CP-9 System Backup (L)(M)(H)	5	4	15		no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2		21		no data
💼 FedRAMP Low Security Controls → 💼 CP-9 System Backup (L)(M)(H)			13		no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6 Alternate Storage Site (M)(H)	2		6		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-6(1) Separation from Primary Site (M)(H)			6		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-9 System Backup (L)(M)(H)	2		15		no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1		21		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			188		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			190		no data
💼 NIST CSF v2.0 → 💼 PR.DS-11: Backups of data are created, protected, maintained, and tested			16		no data
💼 NIST CSF v2.0 → 💼 PR.IR-04: Adequate resource capacity to ensure availability is maintained			6		no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process			21		no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed			21		no data
💼 NIST CSF v2.0 → 💼 RC.RP-03: The integrity of backups and other restoration assets is verified before using them for restoration			10		no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed			21		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6 Alternate Storage Site	3		20		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(1) Alternate Storage Site _ Separation from Primary Site			6		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives			20		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6		21		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability			20		no data