Skip to main content

πŸ›‘οΈ AWS MQ ActiveMQ Broker uses the single instance deployment mode🟒

  • Contextual name: πŸ›‘οΈ ActiveMQ Broker uses the single instance deployment mode🟒
  • ID: /ce/ca/aws/mq/activemq-broker-deployment-mode
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS MQ ActiveMQ Brokers that are configured with the single-instance deployment mode.

For high availability, AWS MQ brokers should use the active/standby deployment mode, which consists of two broker instances in a redundant configuration. In this model, AWS MQ deploys one broker instance in a primary Availability Zone and a standby instance in a different AZ to ensure failover capability.

Rationale​

A single-instance deployment presents a significant risk to application reliability. If the underlying instance or its Availability Zone fails, the broker becomes unavailable, potentially halting all message processing for your application.

Additionally, during software updates or maintenance windows, a single-instance broker experiences temporary downtime, as there is no standby instance to assume the workload. While Amazon MQ uses redundant storage, service availability is inherently limited in single-instance mode.

Impact​

Migrating to an active/standby configuration incurs additional costs for running a standby broker.

... see more

Remediation​

Open File

Remediation​

Migrate the Broker to Active/Standby Deployment Mode​

AWS MQ does not allow changing the deployment mode of an existing broker. To remediate a single-instance broker, you must create a new broker with the active/standby deployment mode and migrate the configuration and users from the original broker.

From Command Line​

  1. Retrieve the configuration of the existing single-instance broker:

    aws mq describe-broker \
        --broker-id {{broker-id}}

    The output includes the broker’s settings, such as engine type, version, instance type, subnets, and security groups:

    {
        "EngineVersion": "5.15.0",
        "EngineType": "ActiveMQ",
        "DeploymentMode": "SINGLE_INSTANCE",
        "HostInstanceType": "mq.m5.large",

        ---

        "SubnetIds": [
        "subnet-0abcd1234abcd1234",
        "subnet-01234abcd1234abcd"
        ],
        "SecurityGroups": [
        "sg-01234abcd1234abcd"
        ]
    }

  2. Create a new broker with the active/standby multi-AZ deployment mode using the retrieved configuration and appropriate parameters:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration69no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)19no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)220no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)20no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)120no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations21no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process20no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed20no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed20no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives19no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution620no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy24no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage212no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability19no data