Compliance

Enable Aurora MySQL backtracking

Security Hub RDS.14 — accidentally DROP TABLE in prod? Aurora Backtracking rewinds the cluster to a point in time without a restore.

11 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: RDS.14

Aurora Backtracking: the basics

What does Security Hub RDS.14 actually check?

Aurora Backtracking is an Aurora-MySQL-only feature that lets you rewind the entire cluster to a point in the recent past — up to 72 hours — without restoring a snapshot or creating a new cluster. The cluster keeps a change-log alongside its data pages; triggering a backtrack replays the cluster backwards to your chosen timestamp and resumes in place. No DNS swap, no new endpoint, no application reconfiguration. Seconds to minutes per minute rewound.

Security Hub control RDS.14 fails when an Aurora MySQL cluster has BacktrackWindow=0 — backtracking disabled. The check is binary: either you've configured a non-zero window (1-72 hours) at cluster creation, or you haven't. There's no "enable on existing cluster" path; if backtracking wasn't enabled at create time you can't bolt it on later. You can only get it by cloning the cluster or migrating to a fresh one with the window set.

The control exists because point-in-time recovery via snapshot restore takes 20-60 minutes for a sizeable cluster, requires a new endpoint, and forces every application to cut over. Backtracking turns the same recovery into a 30-second operation against the same endpoint — the difference between a five-minute incident and a two-hour one when someone runs DROP TABLE customers at 3pm on a Tuesday.

In this lesson you'll learn what Aurora Backtracking does, when it can save you and when it can't, the cost trade-off of enabling a 72-hour window, and the exact CLI flow to investigate a failed RDS.14 finding and remediate it. You'll see the describe call that surfaces the misconfiguration, the clone-and-cutover required to enable backtracking on a cluster that didn't have it, and the SCP pattern to prevent the next cluster from being created without it.

Fun fact

The 30-second DROP TABLE rescue

At a fintech in 2021, a senior engineer running a one-off migration accidentally ran DROP TABLE transactions against prod instead of staging — 240M rows, six years of history. Snapshot restore was quoted at 47 minutes. The on-call lead noticed backtracking was enabled with a 24-hour window, triggered a rewind to 90 seconds before the drop, and the cluster was serving traffic again in 34 seconds. The post-mortem cost about $0.40 in backtrack storage and saved the entire trading day.

Investigating an RDS.14 failure in action

Marco is reviewing a fresh batch of Security Hub findings on a Monday morning. RDS.14 has fired against prod-orders-cluster — an Aurora MySQL 8.0 cluster carrying the order pipeline. Severity: MEDIUM. The cluster has been running for 14 months, hosts six application services, and has never had backtracking enabled.

He doesn't immediately panic — RDS.14 is a preventative control, not a breach signal. But the cluster is exactly the kind of workload where backtracking pays for itself: high write volume, multiple services touching the same tables, and a recent history of "someone ran the wrong migration" incidents that took 30+ minutes to restore from snapshot.

He starts by confirming the current configuration.

First, describe the cluster and slice to just engine, version, and backtrack window — the three fields that decide whether RDS.14 passes.

$ aws rds describe-db-clusters --db-cluster-identifier prod-orders-cluster --query "DBClusters[*].{Engine:Engine,Version:EngineVersion,Backtrack:BacktrackWindow,Status:Status}" --output table

┌──────────────────┬──────────────────┬───────────┬───────────┐

│ Engine │ Version │ Backtrack │ Status │

├──────────────────┼──────────────────┼───────────┼───────────┤

│ aurora-mysql │ 8.0.mysql_aurora.3.05.2 │ 0 │ available │

└──────────────────┴──────────────────┴───────────┴───────────┘

# Aurora MySQL, eligible for backtracking, but BacktrackWindow=0 — disabled.

Engine is eligible, but the window is zero — that's the RDS.14 failure.

Since you can't enable backtracking on an existing cluster, the path is a clone with the window set. Aurora clones are copy-on-write — fast and cheap.

$ aws rds restore-db-cluster-to-point-in-time --source-db-cluster-identifier prod-orders-cluster --db-cluster-identifier prod-orders-cluster-bt --restore-type copy-on-write --use-latest-restorable-time --backtrack-window 86400

{

"DBCluster": {

"DBClusterIdentifier": "prod-orders-cluster-bt",

"Engine": "aurora-mysql",

"BacktrackWindow": 86400,

"Status": "creating"

}

# 86400 seconds = 24 hours. Clone is ready in minutes; cutover at next maintenance window.

Copy-on-write clone with a 24-hour backtrack window — the migration path RDS.14 expects.

Backtracking under the hooddeep dive

Aurora's storage layer is a distributed log-structured system: every page change is appended to a redo log replicated across three Availability Zones. When backtracking is enabled, Aurora retains an additional reverse-direction change-log for the configured window. Triggering a backtrack replays that log in reverse against the live cluster volume — the same cluster ID, same endpoint, same parameter group, just rewound.

Storage cost is metered per million change records retained, at roughly $0.012 per million in most regions. For typical OLTP workloads a 24-hour window costs single-digit dollars per month; a 72-hour window on a heavy-write cluster is rarely more than $30-50/month. The break-even against a single avoided snapshot-restore incident is essentially zero.

The hard limit is the engine: backtracking is supported only on Aurora MySQL clusters (5.6 originally, currently 5.7 and 8.0), and only when the window was set at cluster create or via restore-db-cluster-to-point-in-time with --backtrack-window. Aurora PostgreSQL has no equivalent — for Postgres clusters the closest analogue is restore-db-cluster-to-point-in-time creating a new cluster at the target time, which is slower and produces a separate endpoint.

# How Security Hub evaluates RDS.14 — any Aurora MySQL cluster with BacktrackWindow=0 fails.
aws rds describe-db-clusters \
  --query "DBClusters[?Engine=='aurora-mysql' && BacktrackWindow==\`0\`].DBClusterIdentifier"

What is the impact of running without backtracking?

The direct impact is recovery time. Without backtracking, every data-corruption incident — bad migration, accidental DELETE, runaway script, application bug writing garbage — forces a snapshot restore. For a 500 GB cluster that's 30-60 minutes minimum before a new cluster is ready, plus the time to repoint applications at the new endpoint, plus the data loss between the snapshot and the bad write. Whole engineering teams spend Tuesday afternoons restoring snapshots.

The second-order impact is the operational rigidity it creates. Teams that don't trust their recovery path become risk-averse with migrations and one-off fixes — every schema change becomes a multi-week project because reverting is painful. Backtracking turns reverts into a 30-second operation, which fundamentally changes how willing engineers are to ship corrective changes quickly.

From a compliance standpoint, RDS.14 maps to broader data-resilience requirements in SOC 2 (CC9.1 — recovery objectives) and ISO 27001 (A.12.3 — backup). Auditors increasingly ask not just "do you have backups" but "can you demonstrate a sub-five-minute recovery for a defined corruption scenario." Backtracking is the cleanest evidence for that.

The cost trade-off is almost trivially in favour of enabling: $30/month of backtrack storage versus four engineers spending an afternoon on a recovery that should have taken 30 seconds. The math is clear; the friction is just that you can't enable it after the fact, so it has to be set at cluster creation or via a clone-and-cutover.

How do you remediate an RDS.14 failure safely?

Because backtracking can't be enabled on a running cluster, remediation is a four-step loop: inventory eligible clusters, clone with the window set, cut over, then prevent future clusters from being created without it.

1. Inventory every Aurora MySQL cluster with BacktrackWindow=0

Run a describe-db-clusters query filtered to engine aurora-mysql and BacktrackWindow==0. Group results by environment — production clusters obviously matter most, but non-prod clusters that hold representative data should be on the list too. Backtracking on a staging cluster is what lets you safely test destructive migrations before running them in prod.

2. Clone with the window set, then cut over at a maintenance window

Use restore-db-cluster-to-point-in-time with --restore-type copy-on-write and --backtrack-window 86400 (24h) or 259200 (72h). The clone shares storage with the original until divergence, so it's fast and cheap. Promote the clone, repoint applications, then decommission the original. Standard blue-green pattern; total downtime measured in seconds if the application layer can do a DNS / configuration flip.

3. Verify the rewind before you need it

Backtracking is destructive — it rewinds the cluster, losing every write since the target time. Run a tabletop exercise: write a sentinel row, wait five minutes, backtrack to before the write, confirm the row is gone. This is the only way to know the recovery path actually works and to build the muscle memory for the day someone runs the wrong DROP. Also remember backtracking itself is a write — you can't undo a backtrack with another backtrack.

4. Prevent recurrence with an SCP and AWS Config

Attach an SCP at the org level that denies rds:CreateDBCluster when Engine is aurora-mysql and BacktrackWindow is absent or zero. Add the AWS Config managed rule rds-cluster-backtracking-enabled to surface any drift within minutes. New clusters arrive with the window set by default, and Security Hub stays green.

# Clone the cluster with a 24-hour backtrack window, then promote.
aws rds restore-db-cluster-to-point-in-time \
  --source-db-cluster-identifier prod-orders-cluster \
  --db-cluster-identifier prod-orders-cluster-bt \
  --restore-type copy-on-write \
  --use-latest-restorable-time \
  --backtrack-window 86400

# Wait for the clone to be available, then add an instance.
aws rds create-db-instance \
  --db-instance-identifier prod-orders-cluster-bt-1 \
  --db-cluster-identifier prod-orders-cluster-bt \
  --db-instance-class db.r6g.xlarge \
  --engine aurora-mysql

# Trigger an actual backtrack (DESTRUCTIVE — loses all writes since target time).
aws rds backtrack-db-cluster \
  --db-cluster-identifier prod-orders-cluster-bt \
  --backtrack-to 2026-05-15T14:32:00Z

Quick quiz

Question 1 of 5

Security Hub flags an Aurora MySQL cluster with RDS.14. You log in and run aws rds modify-db-cluster --backtrack-window 86400. What happens?

Keep learning

Dig deeper into Aurora's recovery model and the broader RDS compliance controls.

You've completed Enable Aurora MySQL backtracking. You can now spot an RDS.14 failure, understand why the fix requires a clone rather than a config flip, walk through the copy-on-write cutover, and prevent the next cluster from being created without a window. The next time someone runs DROP TABLE in prod, you'll have a four-step loop — and a 30-second recovery — ready to run.

Back to the library

Aurora Backtracking: what it means for recovery cost and spend

A small predictable storage cost that buys a 30-second rewind instead of a two-hour restore

Aurora MySQL is a managed database service where clusters can be configured with a "backtrack window" — a rolling change-log that lets the cluster rewind to any point in the last 24 to 72 hours without creating a new cluster or changing the connection endpoint. Security Hub control RDS.14 fails when that window is set to zero, meaning backtracking is not available. It's a medium-severity finding.

The cost model is unusually clean: Aurora charges per million change records retained, typically single-digit to low-double-digit dollars per month for a 24-hour window on a standard OLTP workload. The alternative when something goes wrong without backtracking is a snapshot restore — 30 to 60 minutes of downtime for a large cluster, manual application reconfiguration, and potential data loss since the last backup. The finance framing is straightforward: this is cheap insurance with a very clear break-even.

There is one meaningful complication: backtracking must be enabled at cluster creation. You cannot flip a switch on a running cluster. Remediation requires cloning the cluster with the window set and cutting over, which is a planned migration, not a one-line fix. That makes the tiering question matter most at provisioning time — production Aurora MySQL clusters should have the window set by default, so the cost and the protection arrive together.

This lesson is for the finance partner who needs to understand what Aurora Backtracking costs, what it prevents, and why RDS.14 is a provisioning-time decision rather than a running cost toggle. You'll get the storage cost model (per million change records, typically single-digit dollars per month), why the "can't enable on a live cluster" constraint makes this a governance-at-creation problem rather than a remediation checklist, and how to frame the backtrack window as predictable, low-cost insurance against a very expensive class of incident. No commands required.

Fun fact

The 30-second DROP TABLE rescue

How a finance partner frames the Aurora Backtracking decision

Dana is the finance partner reviewing the monthly security posture with the platform team. RDS.14 shows three Aurora MySQL clusters without a backtrack window — all running in production. Rather than treating it as a blanket "enable everything" item, she asks the right cost-risk question: what is the actual cost of the window on each cluster, and what is the cost of not having it?

The team pulls the cluster change rates. Two are moderate-volume OLTP clusters; the estimated 24-hour backtrack window cost is $4 and $7 per month respectively. The third is a heavier-write reporting pipeline; the 24-hour window would run about $22/month. Against those numbers Dana notes the most recent snapshot-restore incident — a bad migration eight months ago — cost the team roughly six hours of engineering time and two hours of partial downtime. The math closes in about one day of storage cost.

Dana's takeaway for the finance pack is simple: "We are budgeting for three Aurora cluster migrations to add a 24-hour backtrack window at a combined incremental cost of under $35/month. The payback period against one avoided restore incident is measured in hours." The ask gets approved at the next sprint planning with no negotiation.

Why this matters to the budget and the incident cost register

The cost side of this control is as clean as any in the AWS catalog. Aurora backtrack storage is billed per million change records retained — roughly $0.012 per million in most regions. For a standard production OLTP cluster a 24-hour window lands at $5-15/month; a heavy-write cluster at 72 hours is rarely more than $30-50/month. These are predictable, stable line items with no variable spikes.

The right comparison is not to zero. The comparison is to a snapshot restore incident: 30-60 minutes of database downtime, the time to stand up a new cluster and repoint every application service, the data loss since the last automated backup, and the engineering hours consumed. A single such incident on a production cluster typically represents hundreds to thousands of dollars in engineering time alone, before any customer-facing revenue impact. The backtrack window pays for itself in the first incident it prevents — and on most active production clusters, that incident arrives within the first year.

Because backtracking cannot be enabled on a running cluster, the cost impact lands at provisioning time, not as a running cost you can dial up later. That means the finance input that matters most is upstream: ensure the provisioning budget for new Aurora MySQL clusters includes the backtrack storage line, so engineering teams are never making the "save $10/month now, risk a two-hour outage later" trade-off without explicit awareness. A provisioning standard with the cost pre-approved removes the temptation to skip the window.

Treat RDS.14 findings on existing production clusters as a one-time migration cost, not ongoing. A clone-and-cutover is a planned engineering task. Budget the engineer-hours, approve the migration window, and treat the resulting monthly storage cost as standard resilience overhead — the same category as backups and Multi-AZ.

What finance can actually do about RDS.14

Finance can't run clone commands, but it owns the budget framing that determines whether Aurora MySQL clusters arrive correctly configured or accumulate as a backlog of risky exceptions. Four levers.

1. Make the backtrack window a provisioning budget line, not an afterthought

Agree with engineering that new Aurora MySQL production clusters are budgeted with the backtrack storage cost included from day one — typically $5-30/month per cluster depending on write volume. That removes the temptation for teams to skip the window to save a trivial amount and eliminates the accumulated technical debt of clusters that need clone-and-cutover remediation.

2. Budget the existing cluster migration as a one-time project cost

Every Aurora MySQL cluster currently failing RDS.14 requires a clone-and-cutover to remediate. Scope those as a planned engineering project — engineer-hours, maintenance window coordination, and a small clone storage cost during the transition period — and approve it as infrastructure-resilience spend, not an ad hoc ask. Treating it as a project with a defined budget and timeline gets it done rather than languishing on a backlog.

3. Track unmitigated production clusters as an insured risk on the register

Any production Aurora MySQL cluster still failing RDS.14 is a cluster where a bad migration or accidental delete means 30-60 minutes of downtime instead of 30 seconds. Put those clusters on the risk register with the estimated incident cost (engineering hours plus downtime impact) until they are remediated. That keeps the urgency visible and connects the finding to a dollar figure rather than an abstract severity label.

4. Ask for the provisioning standard, not just the remediation count

The most durable finance question is whether the SCP or provisioning template enforces the backtrack window for new clusters. If it does, the finding count will stay clean without ongoing remediation cycles. If it doesn't, you will be budgeting clone migrations indefinitely as new clusters are created without the window. Confirming the prevention side is locked in is the finance action with the longest leverage.

Quick quiz

Question 1 of 5

Two Aurora MySQL production clusters are failing RDS.14 — they've been running for two years without a backtrack window. The combined estimated backtrack storage cost is $18/month. Remediation requires a clone-and-cutover for each cluster. What's the right finance call?

Keep learning

Dig deeper into Aurora's recovery model and the broader RDS compliance controls.

You've finished the finance partner's view of RDS.14. You know the backtrack storage cost is small and predictable ($5-30/month per cluster), why the "can't enable on a live cluster" constraint makes this a provisioning-budget decision rather than a running cost lever, and the four actions — baking the cost into provisioning budgets, scoping existing migrations as one-time resilience spend, treating unmitigated clusters as insured risk, and confirming the provisioning standard is enforced — that close both the risk and the spend cleanly. The next time it shows up, you'll have a sharper framing than a line-item debate.

Back to the library

Aurora Backtracking: the headline

Whether a bad migration or accidental delete takes 30 seconds to fix or two hours

Aurora MySQL clusters can be configured to retain a rewind buffer — a short rolling history that lets the database roll back to any moment in the last day or two without a full restore. Security Hub flags clusters that lack this as RDS.14, a medium-severity finding. Without it, every corruption or accidental-delete incident forces a snapshot restore: 30 to 60 minutes of downtime, a new endpoint, and a scramble to repoint applications.

The leadership question is simple: do we want our recovery story for a bad production database change to be "30 seconds" or "two hours plus"? The cost of the buffer is a few dollars a month per cluster. The complication is that it must be configured at cluster creation, so the right governance move is a default policy — Aurora MySQL clusters in production are provisioned with the window on, full stop. That turns a reactive finding into a forward-looking standard.

A short read for the leader who wants to know what this control protects and what the one governance action is. You'll learn why backtracking is a provisioning-default question rather than a per-incident decision, what "good" looks like for Aurora MySQL clusters in your environment, and why the relevant question to ask isn't about the finding count but about whether the standard is set correctly for new clusters going forward.

Fun fact

The 30-second DROP TABLE rescue

What it looks like when the org gets this right

At one company the VP of Engineering, Tomás, used to field post-incident questions that started with "how long will the restore take?" — and the answer was always some version of "we're checking." After RDS.14 was adopted as a tracked provisioning standard, the answer changed to a policy: every Aurora MySQL cluster in production is created with a 24-hour backtrack window, enforced by the provisioning template.

The shift Tomás valued wasn't the finding count dropping to zero. It was that the recovery conversation was settled in advance. A bad migration in production became a 30-second operation the on-call team could execute without an incident bridge call. The confidence that came from that — "we can fix a data corruption in under a minute if we catch it in time" — changed how willing engineers were to ship schema changes on a tight deadline.

That's the right end state for this control: not a remediation ticket, but a provisioning default. Aurora MySQL clusters arrive with the window set because the policy says so, and the finding count stays clean because the standard is enforced at creation, not patched after the fact.

Why this is on the report at all

This control maps directly to a question that surfaces after every serious database incident: "could we have recovered faster?" Without backtracking, the honest answer for an Aurora MySQL cluster is: the fastest possible recovery was 30 to 60 minutes of downtime plus manual application reconfiguration. With backtracking enabled, the answer is: 30 seconds, same endpoint, no reconfiguration. RDS.14 is the flag that tells you which situation you're actually in.

The leadership concern here is not the monthly storage cost — it's small enough to be noise. The concern is whether the provisioning standard is set correctly. Because backtracking cannot be added to a running cluster, every Aurora MySQL cluster created without the window is a future incident waiting to be slower than it needs to be. The right executive question is not "how many clusters are failing RDS.14 today" but "is our standard for new Aurora MySQL clusters correct, and is it enforced?" A policy that requires the backtrack window at creation means this finding permanently stays clean without manual remediation cycles.

The leadership move on RDS.14

The executive handle on this control is not about the remediation queue — it's about setting the standard so the queue stays empty for new clusters. Two moves, applied once.

1. Set the provisioning default: Aurora MySQL clusters ship with a backtrack window

Direct that all new Aurora MySQL production clusters are required to have a non-zero backtrack window configured at creation. This is a one-time policy decision enforced by the provisioning template or SCP. Once it's in place, the control stays clean by default and no individual team has to make the cost-versus-resilience judgment each time they spin up a cluster.

2. Treat existing failures as a time-bounded migration project

Clusters already running without backtracking need a clone-and-cutover to remediate — this cannot be patched in place. Rather than letting the list sit as open findings indefinitely, set a target quarter for the migration and treat it as a resilience-hardening project. The per-cluster effort is modest; the risk of leaving it open is another slow restore incident.

3. Ask one question at the leadership review

"Is the backtrack window required for new Aurora MySQL clusters, and is every production cluster either compliant or on a migration schedule?" A yes to both means this is governed by policy. That's the confidence signal — not a zero finding count on a dashboard, but evidence that the standard is enforced going forward and the backlog has a deadline.

Quick quiz

Question 1 of 5

Your engineering team reports that all Aurora MySQL production clusters now have a 24-hour backtrack window, enforced by the provisioning template and an SCP. Three dev clusters still fail RDS.14 and are documented as intentionally lower-priority with a recorded rationale. What's the right leadership read?

Keep learning

Dig deeper into Aurora's recovery model and the broader RDS compliance controls.

That's the lesson. Two takeaways: a cluster running without a backtrack window means a bad migration recovers in hours, not seconds — and the only durable fix is a provisioning standard, not a remediation cycle, because backtracking cannot be added to running clusters. The leadership question is whether the standard is set and enforced going forward, with the existing backlog on a defined migration timeline. That's resilience by policy.

Back to the library

Enable Aurora MySQL backtracking

Aurora Backtracking: the basics

The 30-second DROP TABLE rescue

Investigating an RDS.14 failure in action

Backtracking under the hooddeep dive

What is the impact of running without backtracking?

How do you remediate an RDS.14 failure safely?

1. Inventory every Aurora MySQL cluster with BacktrackWindow=0

2. Clone with the window set, then cut over at a maintenance window

3. Verify the rewind before you need it

4. Prevent recurrence with an SCP and AWS Config

Quick quiz

Keep learning

Aurora Backtracking: what it means for recovery cost and spend

The 30-second DROP TABLE rescue

How a finance partner frames the Aurora Backtracking decision

Why this matters to the budget and the incident cost register

What finance can actually do about RDS.14

1. Make the backtrack window a provisioning budget line, not an afterthought

2. Budget the existing cluster migration as a one-time project cost

3. Track unmitigated production clusters as an insured risk on the register

4. Ask for the provisioning standard, not just the remediation count

Quick quiz

Keep learning

Aurora Backtracking: the headline

The 30-second DROP TABLE rescue

What it looks like when the org gets this right

Why this is on the report at all

The leadership move on RDS.14

1. Set the provisioning default: Aurora MySQL clusters ship with a backtrack window

2. Treat existing failures as a time-bounded migration project

3. Ask one question at the leadership review

Quick quiz

Keep learning

Related compliance lessons