π‘οΈ AWS MQ Broker is publicly accessibleπ’
- Contextual name: π‘οΈ Broker is publicly accessibleπ’
- ID:
/ce/ca/aws/mq/broker-public-access - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
- π AWS MQ Broker
- π AWS MQ Broker - object.extracts.yaml
- π§ͺ test-data.json
Similar Policiesβ
- Cloud Conformity: Publicly Accessible MQ Brokers
Descriptionβ
Descriptionβ
This policy identifies AWS MQ brokers that are configured to be publicly accessible.
To reduce security exposure, Amazon MQ brokers deployed within your AWS account should not be accessible from the public internet. Publicly accessible brokers increase the risk of unauthorized access and potential data exposure.
Rationaleβ
Amazon MQ brokers should be deployed within private subnets to ensure access is restricted to resources inside the VPC or through secure connectivity mechanisms such as AWS Site-to-Site VPN, Client VPN, or AWS Direct Connect. Making a broker publicly accessible exposes it to external threats, including brute-force attacks and other malicious activity.
Auditβ
This policy flags an AWS MQ Broker as
INCOMPLIANTwhen thePublicly Accessiblefield is set to true.
Remediationβ
Remediationβ
Configure Amazon MQ Brokers to Be Privateβ
Amazon MQ brokers that are publicly accessible cannot be modified in place. To disable public access, the broker must be re-created with a configuration that restricts network access to private subnets within your VPC.
Using AWS CloudFormationβ
Use AWS CloudFormation to provision a new Amazon MQ broker with public accessibility disabled.
CloudFormation Template (YAML)β
AWSTemplateFormatVersion: '2010-09-09'
Description: Disable public access for Amazon MQ brokers
Resources:
MQBroker:
Type: AWS::AmazonMQ::Broker
Properties:
BrokerName: {{broker-name}}
DeploymentMode: ACTIVE_STANDBY_MULTI_AZ
EngineType: ActiveMQ
EngineVersion: {{5.15.0}}
HostInstanceType: {{mq.m5.large}}
AutoMinorVersionUpgrade: true
Logs:
General: true
Audit: true
PubliclyAccessible: false
SecurityGroups:
- {{sg-id1}}
- {{sg-id2}}
SubnetIds:
- {{subnet-id1}}
... [see more](remediation.md)
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Well-Architected β πΌ SEC08-BP04 Enforce access control | 8 | no data | |||
| πΌ Cloudaware Framework β πΌ Public and Anonymous Access | 115 | no data |