iCompaas Support

Profile Applicability:

• Level 2

Description:

Amazon Aurora MySQL is a fully managed, MySQL-compatible relational database engine built for the cloud. Backtrack in Aurora MySQL allows you to roll back your database cluster to a previous point in time without restoring from a backup. This feature can be useful in scenarios such as recovering from unintentional data modification, erroneous queries, or application errors. Backtrack provides a more efficient and faster recovery mechanism compared to traditional point-in-time recovery, as it does not require a full restore operation.

This SOP ensures that backtrack is enabled for Aurora MySQL clusters, improving data protection and enabling more flexible and rapid recovery from issues.

Rationale:

• Faster Recovery: With backtrack, database clusters can quickly be restored to a previous state without needing to restore from a backup, which can be time-consuming.

• Operational Efficiency: It enables application developers and DBAs to recover from mistakes or accidental data modifications more easily.

• Data Integrity: Helps ensure that data integrity is maintained by allowing quick rollback in case of unforeseen issues or errors.

• Compliance: Many compliance frameworks (such as SOC 2, PCI-DSS, HIPAA) require capabilities for recovery and rollback in case of accidental or unauthorized changes to databases.

Impact:

Pros:

• Improved Recovery Speed: Backtrack allows for faster recovery from mistakes without needing to restore full backups.

• Reduced Downtime: Reduces application downtime caused by accidental data loss or corruption by enabling quick reversion to a previous state.

• Cost-Effective: Saves on storage and backup costs by using backtrack, which is less resource-intensive compared to traditional restore operations.

Cons:

• Limited Retention Period: Backtrack has a retention period (typically up to 7 days for Aurora MySQL), so it may not be suitable for long-term recovery scenarios.

• Storage Costs: The backtrack feature consumes additional storage, which can incur costs depending on the duration and usage of backtrack.

• Initial Configuration: Enabling backtrack requires proper configuration, which may require additional setup steps.

Default Value:

By default, backtrack is disabled for Aurora MySQL clusters. You must enable backtrack explicitly when creating or modifying the Aurora MySQL DB cluster.

Pre-requisite:

• AWS IAM Permissions:

  • rds:DescribeDBClusters

  • rds:ModifyDBCluster

• AWS CLI installed and configured.

• The Aurora MySQL DB cluster must be compatible with the backtrack feature (backtrack is available for Aurora MySQL 5.6.10a and above).

• Sufficient storage must be available to support backtrack operations.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon RDS under Services.

3. In the RDS Dashboard, go to Databases and select the Aurora MySQL DB cluster you want to check.

4. Under the Configuration tab, look for the Backtrack section:

   • If backtrack is enabled, it will show the Backtrack window and storage usage.

   • If backtrack is disabled, you will need to enable it.

5. If backtrack is not enabled, click Modify, and in the Backtrack Configuration section, select Enable Backtrack.

6. Set the Backtrack Retention Period (e.g., 24 hours) and adjust other settings if necessary.

7. Save the changes and verify that backtrack is now enabled for the DB cluster.

Using AWS CLI:

1. To check if backtrack is enabled for an Aurora MySQL DB cluster, run:
   

   aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier, BacktrackWindow:BacktrackWindow}'

2. Review the output:

• If BacktrackWindow is greater than 0, backtrack is enabled.

• If BacktrackWindow is 0 or missing, backtrack is not enabled.

3. To enable backtrack for an Aurora MySQL DB cluster, run:
   

   aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --enable-backtrack --backtrack-window <window-time-in-seconds> --apply-immediately

4. Verify that the backtrack window is set correctly:
   

   aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier, BacktrackWindow:BacktrackWindow}'

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon RDS.

2. Select the Aurora MySQL DB cluster for which you want to enable backtrack.

3. In the Modify DB Cluster screen, locate the Backtrack section.

4. Check the box to Enable Backtrack.

5. Set the Backtrack Retention Period (e.g., 24 hours or more) based on your needs.

6. Click Continue and then Apply Changes.

Using AWS CLI:

1. To enable backtrack for the DB cluster, run:
   

   aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --enable-backtrack --backtrack-window <window-time-in-seconds> --apply-immediately

2. Verify that backtrack is enabled:
   

   aws rds describe-db-clusters --query 'DBClusters[*].{DBClusterIdentifier:DBClusterIdentifier, BacktrackWindow:BacktrackWindow}'

Backout Plan:

Using AWS Console:

1. If enabling Backtrack causes issues or leads to unexpected behavior, sign in to the AWS Management Console.

2. Navigate to Amazon RDS, select the Aurora MySQL cluster, and click Modify.

3. Disable Backtrack by removing the retention period or setting it to 0.

4. Save the changes and verify that Backtrack has been disabled.

Using AWS CLI:

1. To disable Backtrack, run the following command:
   

   aws rds modify-db-cluster --db-cluster-identifier <CLUSTER_ID> --backtrack-window 0 --apply-immediately

2. Verify that Backtrack has been disabled:
   

   aws rds describe-db-clusters --db-cluster-identifier <CLUSTER_ID>

References:

• Amazon RDS Documentation: Aurora Backtrack

• AWS CLI: modify-db-cluster

• AWS CLI: describe-db-clusters

CIS Controls Mapping: