Rule: Amazon Aurora Clusters Should Have Backtracking Enabled
This rule ensures that backtracking is enabled for Amazon Aurora clusters.
| Rule | Amazon Aurora clusters should have backtracking enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule/Policy Description:
The rule/policy states that Amazon Aurora clusters should have backtracking enabled. Backtracking allows for the recovery of an Amazon Aurora DB cluster to a specific point in time. Enabling backtracking is crucial for adhering to AWS Foundational Security Best Practices as it helps protect against accidental data loss or corruption.
Troubleshooting Steps:
If backtracking is not enabled on your Amazon Aurora cluster, you might encounter the following issues:
- 1.
Data Loss: Without backtracking, it becomes challenging to recover data in case of accidental deletion or corruption.
- 2.
Ransomware Attacks: In the event of a ransomware attack, backtracking enables you to roll back the cluster to a point before the attack occurred, minimizing the impact.
To ensure backtracking is enabled, follow the remediation steps below.
Necessary Codes:
There are no specific codes provided for this rule/policy. Instead, the remediation involves a series of steps using the AWS Management Console or AWS Command Line Interface (CLI).
Remediation Steps:
To enable backtracking for an Amazon Aurora cluster, follow the steps below:
Step 1: Access AWS Management Console
- 1.Sign in to the AWS Management Console.
Step 2: Navigate to Amazon RDS
- 1.Go to the Amazon RDS service by searching for "RDS" in the AWS Management Console search bar.
Step 3: Select your Aurora cluster
- 1.In the Amazon RDS dashboard, select your Aurora cluster from the list of available clusters.
Step 4: Enable Backtracking
- 1.
Click on the "Modify" button in the upper-right corner of the cluster details page.
- 2.
Scroll down to the "Backup" section.
- 3.
Under "Backup retention period", set a period for which you want to retain backups. This should be within the maximum allowed period based on your requirements.
- 4.
Enable the "Backtrack" option.
Step 5: Save Changes
- 1.
Review your changes and ensure that backtracking is enabled and the backup retention period is sufficient for your needs.
- 2.
Click on the "Apply immediately" checkbox to apply the changes right away.
- 3.
Click on the "Modify cluster" button to save the changes.
Step 6: Verify Backtracking
- 1.
After the modification is complete, return to the cluster details page.
- 2.
Scroll down to the "Backtrack" section and verify that the status is now "Enabled".
Command Line Interface (CLI) Guide:
If you prefer using the AWS Command Line Interface (CLI) to enable backtracking for an Amazon Aurora cluster, follow the steps below:
- 1.
Open the command prompt or terminal on your machine.
- 2.
Run the following command to enable backtracking for your Aurora cluster:
aws rds modify-db-cluster --db-cluster-identifier <your-cluster-identifier> --backup-retention-period <retention-period-in-days> --backtrack-window <backtrack-window-in-seconds>
Note: Replace
<your-cluster-identifier><retention-period-in-days><backtrack-window-in-seconds>- 1.Verify the backtracking settings by running the following command:
aws rds describe-db-clusters --db-cluster-identifier <your-cluster-identifier>
You should see the backtracking status as "Enabled" in the output.
By following the above steps, you can enable backtracking for your Amazon Aurora cluster, ensuring compliance with AWS Foundational Security Best Practices.