ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for mq service (#9267)

Browse Source 
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
This commit is contained in:
Rubén De la Torre Vico
2025-12-04 17:56:08 +01:00
committed by GitHub
parent 902bc9ad57
commit 06d1d214fd
6 changed files with 111 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
prowler/CHANGELOG.md
View File

@@ -15,6 +15,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
### Changed
- Update AWS Lightsail service metadata to new format [(#9264)](https://github.com/prowler-cloud/prowler/pull/9264)
- Update AWS GuardDuty service metadata to new format [(#9259)](https://github.com/prowler-cloud/prowler/pull/9259)
- Update AWS MQ service metadata to new format [(#9267)](https://github.com/prowler-cloud/prowler/pull/9267)
- Update AWS Macie service metadata to new format [(#9265)](https://github.com/prowler-cloud/prowler/pull/9265)
- Update AWS Lightsail service metadata to new format [(#9264)](https://github.com/prowler-cloud/prowler/pull/9264)
---

35
prowler/providers/aws/services/mq/mq_broker_active_deployment_mode/mq_broker_active_deployment_mode.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "mq_broker_active_deployment_mode",
"CheckTitle": "Apache ActiveMQ brokers should be configured in active/standby mode.",
"CheckTitle": "Apache ActiveMQ broker is configured in active/standby Multi-AZ deployment mode",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
"Effects/Denial of Service"
],
"ServiceName": "mq",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsAmazonMQBroker",
"Description": "Ensure Amazon MQ Apache ActiveMQ brokers are configured in active/standby mode for high availability and fault tolerance.",
"Risk": "Apache ActiveMQ brokers not configured in active/standby mode lack high availability, increasing the risk of downtime and data loss during failures.",
"RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-basic-elements.html",
"Description": "**ActiveMQ broker deployment mode** is configured as **active/standby** (`ACTIVE_STANDBY_MULTI_AZ`), indicating a redundant pair operating across Availability Zones",
"Risk": "Without **active/standby**, a single-instance broker becomes a **single point of failure**, degrading **availability** and risking **message loss or duplication** during outages or maintenance. This can stall message flows, grow backlogs, and cause inconsistent processing across dependent services.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/deployment-mode.html",
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-basic-elements.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-5",
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-broker-architecture.html#active-standby-broker-deployment"
],
"Remediation": {
"Code": {
"CLI": "aws mq create-broker --broker-name <broker-name> --engine-type ActiveMQ --deployment-mode ACTIVE_STANDBY_MULTI_AZ",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-5",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/deployment-mode.html"
"CLI": "",
"NativeIaC": "```yaml\n# CloudFormation: Create an ActiveMQ broker in active/standby Multi-AZ\nResources:\n <example_resource_name>:\n Type: AWS::AmazonMQ::Broker\n Properties:\n BrokerName: <example_resource_name>\n EngineType: ACTIVEMQ\n EngineVersion: <example_resource_name>\n HostInstanceType: mq.t3.micro\n PubliclyAccessible: false\n DeploymentMode: ACTIVE_STANDBY_MULTI_AZ # Critical: sets active/standby Multi-AZ to pass the check\n SubnetIds:\n - <example_resource_id>\n - <example_resource_id> # Critical: two subnets in different AZs required for active/standby\n SecurityGroups:\n - <example_resource_id>\n Users:\n - Username: <example_resource_name>\n Password: <example_resource_id>\n```",
"Other": "1. In the AWS Console, go to Amazon MQ > Brokers > Create broker\n2. Select Engine: ActiveMQ\n3. Set Deployment mode to Active/standby broker (Multi-AZ)\n4. Choose two subnets in different AZs and a security group\n5. Enter a broker name, instance type, and create a user (username/password)\n6. Create the broker, update clients to use the new endpoints, then delete the old single-instance broker",
"Terraform": "```hcl\n# Create an ActiveMQ broker in active/standby Multi-AZ\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n broker_name = \"<example_resource_name>\"\n engine_type = \"ActiveMQ\"\n engine_version = \"<example_resource_name>\"\n host_instance_type = \"mq.t3.micro\"\n publicly_accessible = false\n deployment_mode = \"ACTIVE_STANDBY_MULTI_AZ\" # Critical: enables active/standby Multi-AZ to pass the check\n\n subnet_ids = [\"<example_resource_id>\", \"<example_resource_id>\"] # Critical: two subnets in different AZs\n security_groups = [\"<example_resource_id>\"]\n\n user {\n username = \"<example_resource_name>\"\n password = \"<example_resource_id>\"\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure Amazon MQ Apache ActiveMQ brokers use active/standby deployment mode for high availability and fault tolerance.",
"Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-broker-architecture.html#active-standby-broker-deployment"
"Text": "Adopt **active/standby deployment** for ActiveMQ brokers to provide multi-AZ resilience.\n\nDesign clients for **failover** with retries and idempotent processing, validate recovery through regular **failover testing**, monitor broker health, and apply **least privilege** to limit blast radius.",
"Url": "https://hub.prowler.com/check/mq_broker_active_deployment_mode"
}
},
"Categories": [
"redundancy"
"resilience"
],
"DependsOn": [],
"RelatedTo": [],

33
prowler/providers/aws/services/mq/mq_broker_auto_minor_version_upgrades/mq_broker_auto_minor_version_upgrades.metadata.json
View File

@@ -1,31 +1,40 @@
{
"Provider": "aws",
"CheckID": "mq_broker_auto_minor_version_upgrades",
"CheckTitle": "MQ Broker Auto Minor Version Upgrades should be enabled.",
"CheckTitle": "Amazon MQ broker has automated minor version upgrades enabled",
"CheckType": [
"Software and Configuration Checks/Patch Management",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
],
"ServiceName": "mq",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsAmazonMQBroker",
"Description": "Ensure that automatic minor version upgrades are enabled on Amazon MQ brokers.",
"Risk": "Amazon MQ brokers without automatic minor version upgrades may miss critical updates, leaving them vulnerable to security risks, bugs, and performance issues.",
"RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades",
"Description": "**Amazon MQ brokers** have `autoMinorVersionUpgrade` enabled to automatically apply supported minor and patch engine updates during the scheduled maintenance window.",
"Risk": "Without automatic minor upgrades, brokers may run **known-vulnerable engine versions**, enabling exploits that impact:\n- **Confidentiality**: message disclosure\n- **Integrity**: tampering or replay\n- **Availability**: crashes/DoS and instability\n\nDelayed patches also increase operational risk and drift.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/auto-minor-version-upgrade.html",
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades",
"https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-3",
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html"
],
"Remediation": {
"Code": {
"CLI": "aws mq update-broker --broker-id <broker-id> --auto-minor-version-upgrade",
"NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-mqbrokers-minor-version-updates-are-enabled/",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-3",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/auto-minor-version-upgrade.html"
"CLI": "aws mq update-broker --broker-id <example_resource_id> --auto-minor-version-upgrade",
"NativeIaC": "```yaml\n# CloudFormation: Enable automatic minor version upgrades on an MQ broker\nResources:\n <example_resource_name>:\n Type: AWS::AmazonMQ::Broker\n Properties:\n BrokerName: <example_resource_name>\n AutoMinorVersionUpgrade: true # Critical: enables automatic minor version upgrades\n DeploymentMode: SINGLE_INSTANCE\n EngineType: ACTIVEMQ\n EngineVersion: <ENGINE_VERSION>\n HostInstanceType: mq.t3.micro\n PubliclyAccessible: true\n Users:\n - Username: <USERNAME>\n Password: <PASSWORD>\n```",
"Other": "1. Open the Amazon MQ console\n2. Go to Brokers and select the target broker\n3. Click Edit\n4. Under Maintenance, check Enable automatic minor version upgrades\n5. Click Save",
"Terraform": "```hcl\n# Terraform: Enable automatic minor version upgrades on an MQ broker\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n broker_name = \"<example_resource_name>\"\n engine_type = \"ActiveMQ\"\n engine_version = \"<ENGINE_VERSION>\"\n host_instance_type = \"mq.t3.micro\"\n publicly_accessible = true\n auto_minor_version_upgrade = true # Critical: enables automatic minor version upgrades\n\n user {\n username = \"<USERNAME>\"\n password = \"<PASSWORD>\"\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that automatic minor version upgrades are enabled on Amazon MQ brokers to receive the latest security patches and improvements automatically.",
"Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html"
"Text": "Enable `autoMinorVersionUpgrade` on all brokers to reduce patch latency.\n\n- Align upgrades with a defined maintenance window\n- Validate changes in staging before production\n- Monitor broker health and logs after updates\n- Maintain HA and tested backups for rollback (*defense in depth*)",
"Url": "https://hub.prowler.com/check/mq_broker_auto_minor_version_upgrades"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

37
prowler/providers/aws/services/mq/mq_broker_cluster_deployment_mode/mq_broker_cluster_deployment_mode.metadata.json
View File

@@ -1,32 +1,41 @@
{
"Provider": "aws",
"CheckID": "mq_broker_cluster_deployment_mode",
"CheckTitle": "MQ RabbitMQ Brokers should use cluster deployment mode.",
"CheckTitle": "MQ RabbitMQ broker has cluster (multi-AZ) deployment mode",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
"Effects/Denial of Service"
],
"ServiceName": "mq",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
"Severity": "low",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsAmazonMQBroker",
"Description": "Ensure that RabbitMQ Brokers use cluster deployment mode.",
"Risk": "Using a single-instance RabbitMQ broker limits fault tolerance and high availability. Without cluster deployment, broker failures could lead to significant downtime and potential data loss.",
"RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-basic-elements.html",
"Description": "**Amazon MQ RabbitMQ brokers** are assessed for **cluster deployment mode** (`CLUSTER_MULTI_AZ`) with nodes spread across multiple AZs and shared state.\n\nBrokers configured otherwise are identified.",
"Risk": "Without **clustered RabbitMQ**, the broker is a **single point of failure**. An instance or AZ outage can halt queues, cause message loss or duplication, and break ordering, reducing **availability** and **integrity** of workloads that depend on the broker.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-basic-elements.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-6",
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture.html#rabbitmq-broker-architecture-cluster",
"https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.html",
"https://docs.aws.amazon.com/controltower/latest/controlreference/mq-rules.html"
],
"Remediation": {
"Code": {
"CLI": "aws mq create-broker --broker-name <your-broker-name> --engine-type RabbitMQ --deployment-mode CLUSTER_MULTI_AZ",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-6",
"Terraform": ""
"CLI": "aws mq create-broker --broker-name <example_resource_name> --engine-type RABBITMQ --deployment-mode CLUSTER_MULTI_AZ --host-instance-type mq.m5.large --publicly-accessible --auto-minor-version-upgrade --users '[{\"Username\":\"<example_username>\",\"Password\":\"<example_password>\"}]'",
"NativeIaC": "```yaml\n# CloudFormation: create a RabbitMQ broker in cluster (Multi-AZ) mode\nResources:\n ExampleBroker:\n Type: AWS::AmazonMQ::Broker\n Properties:\n BrokerName: \"<example_resource_name>\"\n EngineType: RABBITMQ # Critical: ensures the broker is RabbitMQ\n DeploymentMode: CLUSTER_MULTI_AZ # Critical: sets cluster (Multi-AZ) to pass the check\n HostInstanceType: mq.m5.large\n PubliclyAccessible: true\n Users:\n - Username: \"<example_username>\"\n Password: \"<example_password>\"\n```",
"Other": "1. Open the AWS Console and go to Amazon MQ\n2. Click Brokers > Create broker\n3. Select RabbitMQ as the engine\n4. Set Deployment mode to Cluster (Multi-AZ)\n5. Enter a broker name, choose an instance type, set Public access as needed, and create one admin user\n6. Click Create broker\n7. Migrate applications to the new broker endpoint, then delete the old single-instance broker\n\nNote: Deployment mode cannot be changed on an existing broker; you must create a new cluster broker.",
"Terraform": "```hcl\n# Terraform: create a RabbitMQ broker in cluster (Multi-AZ) mode\nresource \"aws_mq_broker\" \"example\" {\n broker_name = \"<example_resource_name>\"\n engine_type = \"RabbitMQ\" # Critical: RabbitMQ engine\n deployment_mode = \"CLUSTER_MULTI_AZ\" # Critical: cluster (Multi-AZ) to pass the check\n host_instance_type = \"mq.m5.large\"\n publicly_accessible = true\n\n user {\n username = \"<example_username>\"\n password = \"<example_password>\"\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure RabbitMQ brokers are deployed in cluster mode to enhance resilience and prevent data loss during failures.",
"Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture.html#rabbitmq-broker-architecture-cluster"
"Text": "Use **cluster deployment** (`CLUSTER_MULTI_AZ`) for RabbitMQ to remove single-instance risk.\n\nApply **resiliency by design**: clients auto-reconnect, retries with backoff, and idempotent processing; test failover, size for node loss, and enforce **least privilege** with monitoring for defense in depth.",
"Url": "https://hub.prowler.com/check/mq_broker_cluster_deployment_mode"
}
},
"Categories": [
"redundancy"
"resilience"
],
"DependsOn": [],
"RelatedTo": [],

35
prowler/providers/aws/services/mq/mq_broker_logging_enabled/mq_broker_logging_enabled.metadata.json
View File

@@ -1,28 +1,37 @@
{
"Provider": "aws",
"CheckID": "mq_broker_logging_enabled",
"CheckTitle": "MQ brokers should stream audit logs to CloudWatch.",
"CheckTitle": "MQ broker has general logging enabled and, for ActiveMQ, audit logging enabled",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "mq",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsAmazonMQBroker",
"Description": "Ensure MQ brokers are configured to stream audit logs to CloudWatch to enhance monitoring and detect security-related issues.",
"Risk": "Without streaming audit logs to CloudWatch, monitoring and alerting on suspicious activity or security incidents is limited. This reduces visibility into the broker's operations and potential security breaches.",
"RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html",
"Description": "**Amazon MQ brokers** have logging to **CloudWatch Logs** enabled per engine type: **ActiveMQ** requires both `general` and `audit` logs; **RabbitMQ** requires `general` logs.",
"Risk": "Missing broker logs creates blind spots in authentication events, administrative changes, and broker failures. Adversaries can act without detection, enabling unauthorized access and message tampering (confidentiality/integrity) and hindering incident response and root-cause analysis (availability).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-2",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/log-exports.html",
"https://docs.aws.amazon.com/cli/latest/reference/mq/create-broker.html",
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html"
],
"Remediation": {
"Code": {
"CLI": "aws mq update-broker --broker-id <broker-id> --logs 'audit=true'",
"NativeIaC": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_10/#terraform",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-2",
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/log-exports.html"
"CLI": "aws mq update-broker --broker-id <example_resource_id> --logs Audit=true,General=true",
"NativeIaC": "```yaml\n# CloudFormation: Enable Amazon MQ logging\nResources:\n <example_resource_name>:\n Type: AWS::AmazonMQ::Broker\n Properties:\n BrokerName: <example_resource_name>\n EngineType: ACTIVEMQ\n HostInstanceType: mq.t3.micro\n DeploymentMode: SINGLE_INSTANCE\n PubliclyAccessible: true\n Users:\n - Username: <example_user>\n Password: <example_password>\n Logs:\n General: true # Critical: enables general logs to CloudWatch\n Audit: true # Critical: enables audit logs (required for ActiveMQ)\n```",
"Other": "1. In the AWS Console, go to Amazon MQ > Brokers\n2. Select <example_resource_name> and choose Edit\n3. In Log settings:\n - For ActiveMQ: enable General logs and Audit logs\n - For RabbitMQ: enable General logs only\n4. Save changes and reboot if prompted",
"Terraform": "```hcl\n# Terraform: Enable Amazon MQ logging\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n broker_name = \"<example_resource_name>\"\n engine_type = \"ActiveMQ\"\n host_instance_type = \"mq.t3.micro\"\n deployment_mode = \"SINGLE_INSTANCE\"\n publicly_accessible = true\n\n user {\n username = \"<example_user>\"\n password = \"<example_password>\"\n }\n\n logs {\n general = true # Critical: enables general logs\n audit = true # Critical: enables audit logs (ActiveMQ)\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure MQ brokers are configured to stream audit logs to CloudWatch to enhance monitoring and detect security-related issues.",
"Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html"
"Text": "Enable centralized **CloudWatch Logs** for brokers. For **ActiveMQ**, turn on both `general` and `audit` logs; for **RabbitMQ**, enable `general` logs.\n\nApply **least privilege** to log access, set retention, and create alerts for anomalous events to strengthen **defense in depth**.",
"Url": "https://hub.prowler.com/check/mq_broker_logging_enabled"
}
},
"Categories": [

32
prowler/providers/aws/services/mq/mq_broker_not_publicly_accessible/mq_broker_not_publicly_accessible.metadata.json
View File

@@ -1,28 +1,36 @@
{
"Provider": "aws",
"CheckID": "mq_broker_not_publicly_accessible",
"CheckTitle": "MQ brokers should not be publicly accessible.",
"CheckTitle": "Amazon MQ broker is not publicly accessible",
"CheckType": [
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
"TTPs/Initial Access",
"Effects/Data Exposure"
],
"ServiceName": "mq",
"SubServiceName": "",
"ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsAmazonMQBroker",
"Description": "Brokers created without public accessibility can't be accessed from outside of your VPC. This greatly reduces your broker's susceptibility to Distributed Denial of Service (DDoS) attacks from the public internet.",
"Risk": "Public Amazon MQ brokers can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your brokers through their public endpoints and this can increase the opportunity for malicious activity such as cross-site scripting (XSS) and clickjacking attacks. ",
"RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html#prefer-brokers-without-public-accessibility",
"Description": "**Amazon MQ brokers** are evaluated for **public accessibility**, determining whether a broker exposes a public endpoint or is restricted to VPC-only connectivity via its `publicly accessible` setting.",
"Risk": "**Publicly reachable brokers** expand exposure: internet hosts can probe protocols and consoles, attempt credential spraying, publish/consume messages, and flood connections. This threatens **confidentiality** (data leakage), **integrity** (message tampering), and **availability** (DoS/resource exhaustion).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html#prefer-brokers-without-public-accessibility",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/publicly-accessible.html#"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/publicly-accessible.html#",
"Terraform": ""
"NativeIaC": "```yaml\n# CloudFormation: Amazon MQ broker without public accessibility\nResources:\n <example_resource_name>:\n Type: AWS::AmazonMQ::Broker\n Properties:\n BrokerName: <example_resource_name>\n EngineType: ACTIVEMQ\n EngineVersion: <example_engine_version>\n HostInstanceType: <example_instance_type>\n PubliclyAccessible: false # Critical: disables public internet access\n Users:\n - Username: <example_username>\n Password: <example_password>\n SubnetIds:\n - <example_subnet_id>\n SecurityGroups:\n - <example_security_group_id>\n AutoMinorVersionUpgrade: true\n```",
"Other": "1. Open the AWS Console and go to Amazon MQ\n2. Create a new broker and set Public accessibility to Disabled/No\n3. Point your clients to the new broker's private endpoints\n4. Delete the old publicly accessible broker",
"Terraform": "```hcl\n# Amazon MQ broker without public accessibility\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n broker_name = \"<example_resource_name>\"\n engine_type = \"ActiveMQ\"\n engine_version = \"<example_engine_version>\"\n host_instance_type = \"<example_instance_type>\"\n publicly_accessible = false # Critical: disables public internet access\n security_groups = [\"<example_security_group_id>\"]\n subnet_ids = [\"<example_subnet_id>\"]\n\n user {\n username = \"<example_username>\"\n password = \"<example_password>\"\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that the Amazon MQ brokers provisioned in your AWS account are not publicly accessible from the Internet in order to avoid exposing sensitive data and minimize security risks.",
"Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html#prefer-brokers-without-public-accessibility"
"Text": "Prefer private deployment: set `publicly_accessible=false`, place brokers in private subnets, and restrict security groups to trusted producers/consumers. Use private connectivity (VPC endpoints, peering, VPN/Direct Connect). Enforce strong authn and authorization maps, and allow only required protocol ports. Apply **least privilege**.",
"Url": "https://hub.prowler.com/check/mq_broker_not_publicly_accessible"
}
},
"Categories": [