Skip to main content

Enable Backtrack for Aurora MySQL Clusters

Overview

This check verifies that your Amazon Aurora MySQL database clusters have the Backtrack feature enabled. Backtrack lets you quickly "rewind" your database to a previous point in time without restoring from a backup, making it easy to recover from accidental data changes like deleting the wrong row or dropping a table.

Risk

Without Backtrack enabled, recovering from accidental data changes (like a DELETE without a WHERE clause) requires restoring from a backup. This process:

  • Takes significantly longer (potentially hours vs. minutes)
  • May result in data loss for changes made after the backup
  • Requires more complex recovery procedures
  • Increases downtime during incidents

With Backtrack, you can rewind your database in just a few minutes and even move back and forth through time to pinpoint exactly when a data change occurred.

Remediation Steps

Prerequisites

  • Access to the AWS Console with permissions to manage RDS clusters
  • An existing Aurora MySQL cluster (Backtrack only works with Aurora MySQL, not PostgreSQL)

Important: You cannot enable Backtrack on an existing cluster. You must create a new cluster (either a clone or restore) with Backtrack enabled, then migrate your applications to the new cluster.

AWS Console Method

  1. Sign in to the AWS Console and navigate to RDS
  2. In the left navigation, click Databases
  3. Select your Aurora MySQL cluster
  4. Click Actions and choose Restore to point in time
  5. Under Restore type, select Latest restorable time (or choose a specific time)
  6. In the Settings section:
    • Enter a new DB cluster identifier (e.g., my-cluster-with-backtrack)
  7. Scroll down to Backtrack:
    • Check Enable Backtrack
    • Set the Target Backtrack window (e.g., 24 hours = 86400 seconds)
  8. Configure other settings as needed (instance class, VPC, etc.)
  9. Click Restore DB cluster
  10. After the new cluster is available, update your applications to use the new cluster endpoint
AWS CLI (optional)

Restore an existing cluster with Backtrack enabled:

aws rds restore-db-cluster-to-point-in-time \
  --region us-east-1 \
  --source-db-cluster-identifier my-existing-cluster \
  --db-cluster-identifier my-cluster-with-backtrack \
  --use-latest-restorable-time \
  --backtrack-window 86400

Create a DB instance for the restored cluster:

aws rds create-db-instance \
  --region us-east-1 \
  --db-instance-identifier my-cluster-with-backtrack-instance-1 \
  --db-cluster-identifier my-cluster-with-backtrack \
  --db-instance-class db.r6g.large \
  --engine aurora-mysql

Create a brand new Aurora MySQL cluster with Backtrack:

aws rds create-db-cluster \
  --region us-east-1 \
  --db-cluster-identifier my-new-aurora-cluster \
  --engine aurora-mysql \
  --engine-version 8.0.mysql_aurora.3.04.0 \
  --master-username admin \
  --master-user-password <your-secure-password> \
  --db-subnet-group-name <your-subnet-group> \
  --vpc-security-group-ids <your-security-group-id> \
  --backtrack-window 86400 \
  --storage-encrypted \
  --deletion-protection

Backtrack window options:

  • 86400 = 24 hours (recommended starting point)
  • 259200 = 72 hours (maximum allowed)
  • Higher values provide more recovery flexibility but increase storage costs
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Aurora MySQL Cluster with Backtrack Enabled

Parameters:
  DBClusterIdentifier:
    Type: String
    Description: Identifier for the Aurora MySQL cluster
    Default: my-aurora-cluster
  MasterUsername:
    Type: String
    Description: Master username for the database
    Default: admin
  MasterUserPassword:
    Type: String
    NoEcho: true
    Description: Master password for the database
  BacktrackWindow:
    Type: Number
    Description: Target backtrack window in seconds (0 to 259200)
    Default: 86400
    MinValue: 0
    MaxValue: 259200
  DBSubnetGroupName:
    Type: String
    Description: Name of the DB subnet group

Resources:
  AuroraCluster:
    Type: AWS::RDS::DBCluster
    Properties:
      DBClusterIdentifier: !Ref DBClusterIdentifier
      Engine: aurora-mysql
      EngineVersion: '8.0.mysql_aurora.3.04.0'
      MasterUsername: !Ref MasterUsername
      MasterUserPassword: !Ref MasterUserPassword
      BacktrackWindow: !Ref BacktrackWindow
      DBSubnetGroupName: !Ref DBSubnetGroupName
      StorageEncrypted: true
      DeletionProtection: true
      BackupRetentionPeriod: 7
      Tags:
        - Key: Environment
          Value: Production

  AuroraInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBClusterIdentifier: !Ref AuroraCluster
      DBInstanceClass: db.r6g.large
      Engine: aurora-mysql
      PubliclyAccessible: false

Outputs:
  ClusterEndpoint:
    Description: Aurora cluster endpoint
    Value: !GetAtt AuroraCluster.Endpoint.Address
  ClusterArn:
    Description: Aurora cluster ARN
    Value: !GetAtt AuroraCluster.DBClusterArn

Deploy the stack:

aws cloudformation create-stack \
  --region us-east-1 \
  --stack-name aurora-backtrack-cluster \
  --template-body file://template.yaml \
  --parameters \
    ParameterKey=DBClusterIdentifier,ParameterValue=my-aurora-cluster \
    ParameterKey=MasterUsername,ParameterValue=admin \
    ParameterKey=MasterUserPassword,ParameterValue=<your-secure-password> \
    ParameterKey=BacktrackWindow,ParameterValue=86400 \
    ParameterKey=DBSubnetGroupName,ParameterValue=<your-subnet-group>
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "cluster_identifier" {
  description = "Identifier for the Aurora MySQL cluster"
  type        = string
  default     = "my-aurora-cluster"
}

variable "master_username" {
  description = "Master username for the database"
  type        = string
  default     = "admin"
}

variable "master_password" {
  description = "Master password for the database"
  type        = string
  sensitive   = true
}

variable "backtrack_window" {
  description = "Target backtrack window in seconds (0 to 259200, i.e., up to 72 hours)"
  type        = number
  default     = 86400
}

variable "db_subnet_group_name" {
  description = "Name of the DB subnet group"
  type        = string
}

variable "vpc_security_group_ids" {
  description = "List of VPC security group IDs"
  type        = list(string)
}

resource "aws_rds_cluster" "aurora_mysql" {
  cluster_identifier     = var.cluster_identifier
  engine                 = "aurora-mysql"
  engine_version         = "8.0.mysql_aurora.3.04.0"
  master_username        = var.master_username
  master_password        = var.master_password
  backtrack_window       = var.backtrack_window
  db_subnet_group_name   = var.db_subnet_group_name
  vpc_security_group_ids = var.vpc_security_group_ids
  storage_encrypted      = true
  deletion_protection    = true
  backup_retention_period = 7
  skip_final_snapshot    = false
  final_snapshot_identifier = "${var.cluster_identifier}-final-snapshot"

  tags = {
    Environment = "Production"
  }
}

resource "aws_rds_cluster_instance" "aurora_instance" {
  identifier         = "${var.cluster_identifier}-instance-1"
  cluster_identifier = aws_rds_cluster.aurora_mysql.id
  instance_class     = "db.r6g.large"
  engine             = aws_rds_cluster.aurora_mysql.engine
  engine_version     = aws_rds_cluster.aurora_mysql.engine_version
  publicly_accessible = false
}

output "cluster_endpoint" {
  description = "Aurora cluster endpoint"
  value       = aws_rds_cluster.aurora_mysql.endpoint
}

output "cluster_arn" {
  description = "Aurora cluster ARN"
  value       = aws_rds_cluster.aurora_mysql.arn
}

Apply the configuration:

terraform init
terraform plan -var="master_password=<your-secure-password>" \
               -var="db_subnet_group_name=<your-subnet-group>" \
               -var="vpc_security_group_ids=[\"sg-xxxxxxxxx\"]"
terraform apply

Verification

After creating your new cluster with Backtrack enabled:

  1. Go to RDS > Databases in the AWS Console
  2. Click on your new Aurora MySQL cluster
  3. In the Configuration tab, look for Backtrack window
  4. Verify it shows a non-zero value (e.g., "24 hours" or "86400 seconds")
CLI verification
aws rds describe-db-clusters \
  --region us-east-1 \
  --db-cluster-identifier my-cluster-with-backtrack \
  --query 'DBClusters[0].BacktrackWindow'

A value greater than 0 confirms Backtrack is enabled.

Additional Resources

Notes

  • Aurora MySQL only: Backtrack is only available for Aurora MySQL, not Aurora PostgreSQL or other RDS engines.
  • Cannot enable on existing clusters: You must create a new cluster (via restore or clone) to enable Backtrack. Plan for a migration window.
  • Storage costs: Backtrack uses change records that consume storage. Longer backtrack windows mean higher storage costs.
  • Maximum window: The maximum backtrack window is 72 hours (259,200 seconds).
  • Not a replacement for backups: While Backtrack is great for quick recovery from user errors, you should still maintain regular automated backups for disaster recovery.
  • Performance impact: Enabling Backtrack has minimal impact on database performance, but very high write workloads may see slight overhead.