Skip to main content

πŸ›‘οΈ AWS MQ ActiveMQ Broker Audit Logging is not enabled🟒

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS MQ for ActiveMQ Brokers that do not have audit logging enabled.

Rationale​

Audit logging provides visibility into administrative actions performed on the broker, including changes made through the Amazon MQ console, AWS CLI, or Amazon MQ API. Enabling audit logs is a security best practice that helps detect unauthorized or unexpected configuration changes and supports compliance and governance requirements by maintaining a detailed audit trail of management activity.

Audit​

This policy flags an AWS MQ Broker running ActiveMQ as INCOMPLIANT when the Logs: Audit field is set to Disabled.

AWS MQ Brokers running RabbitMQ are marked as INAPPLICABLE.

Remediation​

Open File

Remediation​

Enable Audit Logging for the Broker​

Enable audit logging on the Amazon MQ for ActiveMQ broker to ensure that all administrative actions are captured and delivered to Amazon CloudWatch Logs.

From the Command Line​
Step 1: Enable Audit Logs on the Broker​

Run the following command to update the broker configuration and enable audit logging:

aws mq update-broker \
  --broker-id {{broker-id}} \
  --logs 'Audit=true'

Ensure Required CloudWatch Logs Permissions​

Audit logs are delivered to Amazon CloudWatch Logs. To successfully publish logs, the required IAM permissions and resource-based policies must be in place.

Grant logs:CreateLogGroup Permission​

Ensure that the IAM principal used to create or manage the broker has permission to create CloudWatch log groups.

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "logs:CreateLogGroup",
      "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
    }
  ]
}

Important: If this permission is not granted before the broker is created or rebooted, Amazon MQ will not create the required log group.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration72no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)134no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)270no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)145059no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)20no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)70no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)10no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)134no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)70no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4 System Monitoring (L)(M)(H)712no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources60no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events167no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events95no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events168no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations37no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties51no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities52no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded41no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected178no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected154no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected174no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging423no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31334no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44770no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4 System Monitoring25114no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.1no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.1no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.1no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.1no data