Open menu
-->

AWS MQ Auto Minor Version Upgrade

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon MQ brokers have the Auto Minor Version Upgrade feature enabled in order to receive automatically minor engine upgrades, as Apache releases new versions. Automatic upgrades occur during the broker maintenance window, defined by the day of the week, the time of day, and the time zone (UTC by default). Each version upgrade is available only after it is tested and approved by Amazon Web Services.

AWS MQ is a managed service for Apache ActiveMQ, a popular open-source message broker. As AWS MQ deprecates minor engine versions and provide new ones for upgrade, it is highly recommended that the new versions of the engine are automatically applied. When the last version number within the release is replaced (i.e. 5.15.0 to 5.15.x), the version changed is considered minor. With Auto Minor Version Upgrade feature enabled, the version upgrades will occur automatically during the specified maintenance window so that your AWS MQ brokers can get the new software features, bug fixes and security patches.

Audit

To determine if your Amazon MQ brokers have Auto Minor Version Upgrade feature enabled, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to examine and click on the broker name (link) to access its configuration page.

05 On the MQ broker configuration page, within Maintenance section, check Automatic minor version upgrade attribute value. If the configuration attribute value is set to No, the Auto Minor Version Upgrade feature is not enabled and the minor engine upgrades are not applied to the selected AWS MQ broker, as Apache releases new versions.

06 Repeat step no. 4 and 5 for each Amazon MQ broker provisioned in the current region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the IDs of all existing MQ brokers available within your AWS account:

aws mq list-brokers
	--region us-east-1
	--query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs:

[
    "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to examine as identifier to determine the Auto Minor Version Upgrade feature status for the selected broker:

aws mq describe-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
	--query 'AutoMinorVersionUpgrade'

04 The command output should return the feature current status (true for enabled, false for disabled):

false

If the describe-broker command output returns false, as shown in the example above, the Auto Minor Version Upgrade feature is not enabled and the minor engine upgrades are not applied to the selected AWS MQ broker.

05 Repeat step no. 3 and 4 for each Amazon MQ broker provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Auto Minor Version Upgrade feature for your existing Amazon MQ brokers, you must re-create them with the necessary configuration. To relaunch the required MQ brokers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to re-create and click on the broker name (link) to access its configuration page.

05 On the MQ broker settings page, perform the following:

  1. Within Details section, copy the broker configuration information such as Broker instance type, Deployment mode, Broker engine, Broker engine version, Configuration name and revision, Security and network details and so on.
  2. Inside Users section, locate and copy the ActiveMQ Web Console access credentials.

06 Go back to the MQ brokers page and click Create broker to initiate the launch process.

07 On the Create a broker page, perform the following actions:

  1. Provide a unique name for the new broker in the Broker name box.
  2. Select Enable automatic minor version upgrades checkbox to enable automatic engine upgrades to new versions as they are released.
  3. Set the new broker configuration parameters using the information copied at step no. 5 a.
  4. Set the existing ActiveMQ Web Console access credentials copied at step no. 5 b.
  5. Click Create broker to launch the new MQ broker.

08 Once the new broker is created, you can replace the necessary endpoint(s) within your application(s).

09 Now it’s safe to remove the source AWS MQ broker in order to stop incurring charges for it. To delete the necessary broker, perform the following:

  1. Select the broker that you want to remove (see Audit section part I to identify the right MQ resource).
  2. Click the Delete button from the dashboard top menu.
  3. Within Delete broker <broker_name> dialog box, enter the phrase delete to confirm the action, then click the Delete button.

10 Repeat steps no. 4 – 9 to enable Auto Minor Version Upgrade feature for other AWS MQ brokers provisioned in the current region.

11 Change the AWS region from the navigation bar to repeat the entire process for other regions.

Using AWS CLI

01 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected broker:

aws mq describe-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

02 The command output should return the configuration details for the selected AWS MQ broker:

{
    "MaintenanceWindowStartTime": {
        "DayOfWeek": "MONDAY",
        "TimeZone": "UTC",
        "TimeOfDay": "01:00"
    },
    "PubliclyAccessible": true,
    "EngineVersion": "5.15.0",
    "EngineType": "ActiveMQ",
    "DeploymentMode": "SINGLE_INSTANCE",
    
    ...
 
    "HostInstanceType": "mq.m4.large",
    "SubnetIds": [
        "subnet-aaaabbbb"
    ],
    "AutoMinorVersionUpgrade": false,
    "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-web-broker:b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "BrokerName": "cc-web-broker",
    "SecurityGroups": [
        "sg-12345678"
    ]
}

03 Run create-broker command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the selected AWS MQ broker and enable Auto Minor Version Upgrade feature using --auto-minor-version-upgrade parameter:

aws mq create-broker
	--region us-east-1
	--broker-name cc-new-web-broker
	--configuration Id="c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",Revision=1
	--deployment-mode SINGLE_INSTANCE
	--engine-type ACTIVEMQ
	--engine-version 5.15.0
	--host-instance-type mq.m4.large
	--security-groups "sg-12345678"
	--subnet-ids "subnet-aaaabbbb"
	--users ConsoleAccess=true,Username="brokeruser",Password="brokerpasswd"
	--publicly-accessible
	--auto-minor-version-upgrade

04 The command output should return the new MQ broker identifiers (ID and ARN):

{
    "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-new-web-broker:b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd",
    "BrokerId": "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
}

05 Once the new broker is created, you can replace the necessary endpoint(s) within your application(s).

06 Now it is safe to remove the source Amazon MQ broker in order to stop incurring charges for the resource. To terminate the necessary broker run delete-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to delete as command parameter:

aws mq delete-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

07 The command output should return the ID of the MQ broker selected for deletion:

{
    "BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc"
}

08 Repeat steps no. 1 – 7 to enable Auto Minor Version Upgrade feature for other AWS MQ brokers available in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the remediation/resolution process for other regions.

References

Publication date Dec 22, 2017