Open menu
-->

MQ Deployment Mode

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 04 August 2018
Reliability

Risk level: Low (generally tolerable level of risk)

Ensure that your AWS MQ brokers are using the active/standby deployment mode for high availability. The MQ active/standby deployment mode includes two broker instances configured in a redundant pair. To implement this model, AWS MQ service creates a single broker instance in one Availability Zone (AZ) and another standby broker instance in a different AZ. The broker instances communicate with your web application, with each other, and with a shared AWS storage location.

With the active/standby deployment mode enabled, as opposed to the single-broker mode (enabled by default), you can achieve high availability for your Amazon MQ brokers as the service provides automatic failover capability.

Audit

To determine the deployment mode for your AWS MQ brokers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to examine and click on the broker name (link) to access its settings page.

05 On the MQ broker configuration page, within Specifications section, check Deployment Mode attribute value to determine the current deployment mode used by the selected broker. If the configuration attribute value is set to Single-instance broker, the active/standby deployment mode is not enabled for the selected AWS MQ broker, therefore the broker is not configured for high availability.

06 Repeat step no. 4 and 5 to verify the deployment mode for other AWS MQ brokers available within the current region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the IDs of all existing MQ brokers available within your AWS account:

aws mq list-brokers
	--region us-east-1
	--query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs:

[
    "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to examine as identifier to determine the deployment mode used by the selected AWS MQ broker:

aws mq describe-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
	--query 'DeploymentMode'

04 The command output should return the name of the deployment mode currently in use:

"SINGLE_INSTANCE"

If the describe-broker command output returns "SINGLE_INSTANCE", as shown in the example above, the active/standby deployment mode is not enabled for the selected Amazon MQ broker.

05 Repeat step no. 3 and 4 to verify the deployment mode for other AWS MQ brokers available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable active/standby deployment mode for your existing Amazon MQ brokers, you must re-create them with the necessary high availability configuration. To relaunch the required MQ brokers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to re-create and click on the broker name (link) to access its configuration page.

05 On the MQ broker settings page, perform the following:

  1. Within Details section, copy the broker configuration information such as Broker instance type, Broker engine, Broker engine version, Configuration name and revision, Security and network details and so on.
  2. Inside Users section, locate and copy the ActiveMQ Web Console access credentials.

06 Go back to the MQ brokers page and click Create broker to initiate the launch process.

07 On the Create a broker page, perform the following actions:

  1. Provide a unique name for the new broker in the Broker name box.
  2. Within deployment mode section, select Active/standby broker for high availability option to enable the active/standby deployment mode.
  3. Set the new broker configuration parameters using the information copied at step no. 5 a.
  4. Set the existing ActiveMQ Web Console access credentials copied at step no. 5 b.
  5. Click Create broker to launch the new MQ broker.

08 Once the new broker is created, you can replace the necessary endpoint(s) within your application(s).

09 Now it is safe to remove the source AWS MQ broker in order to stop incurring charges for it. To delete the single-instance broker, perform the following:

  1. Select the broker that you want to remove (see Audit section part I to identify the right AWS MQ resource).
  2. Click the Delete button from the dashboard top menu.
  3. Within Delete broker <broker_name> dialog box, enter the phrase delete to confirm the action, then click the Delete button.

10 Repeat steps no. 4 – 9 to enable active/standby deployment mode for other AWS MQ brokers provisioned in the current region.

11 Change the AWS region from the navigation bar to repeat the entire process for other regions.

Using AWS CLI

01 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected (single-instance) broker:

aws mq describe-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

02 The command output should return the configuration details for the selected AWS MQ broker:

{
    "MaintenanceWindowStartTime": {
        "DayOfWeek": "MONDAY",
        "TimeZone": "UTC",
        "TimeOfDay": "01:00"
    },
    "PubliclyAccessible": true,
    "EngineVersion": "5.15.0",
    "EngineType": "ActiveMQ",
    "DeploymentMode": "SINGLE_INSTANCE",

    ...

    "HostInstanceType": "mq.m4.large",
    "SubnetIds": [
        "subnet-ddddeeee"
    ],
    "AutoMinorVersionUpgrade": false,
    "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-prod-broker:b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "BrokerName": "cc-prod-broker",
    "SecurityGroups": [
        "sg-abcd1234"
    ]
}

03 Run create-broker command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the selected AWS MQ broker in two different Availability Zones (AZs) by enabling the active/standby deployment mode with the --deployment-mode parameter value set to ACTIVE_STANDBY_MULTI_AZ:

aws mq create-broker
	--region us-east-1
	--broker-name cc-ha-prod-broker
	--configuration Id="c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",Revision=1
	--deployment-mode ACTIVE_STANDBY_MULTI_AZ
	--engine-type ACTIVEMQ
	--engine-version 5.15.0
	--host-instance-type mq.m4.large
	--security-groups "sg-abcd1234"
	--subnet-ids "subnet-aaaabbbb" "subnet-ddddeeee"
	--users ConsoleAccess=true,Username="brokeruser",Password="brokerpasswd"
	--publicly-accessible
	--auto-minor-version-upgrade

04 The command output should return the new MQ broker identifiers (ID and ARN):

{
    "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-ha-prod-broker:b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd",
    "BrokerId": "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
}

05 Once the new broker is created, you can replace the necessary endpoint(s) within your application(s).

06 Now it is safe to remove the source Amazon MQ broker in order to stop incurring charges for the resource. To terminate the single-instance broker run delete-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to delete as command parameter:

aws mq delete-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

07 The command output should return the ID of the MQ broker selected for deletion:

{
    "BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc"
}

08 Repeat steps no. 1 – 7 to enable active/standby deployment mode for other AWS MQ brokers provisioned in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the remediation/resolution process for other regions.

References

Publication date Dec 22, 2017