Open menu
-->

Publicly Accessible MQ Brokers

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 04 August 2018
Security

Risk level: Medium (should be achieved)

Ensure that the AWS MQ brokers provisioned in your AWS account are not publicly accessible from the Internet in order to avoid exposing sensitive data and minimize security risks. The level of access to your MQ brokers depends on their use cases, however, for most use cases Cloud Conformity recommends that the MQ brokers should be privately accessible only from within your AWS Virtual Private Cloud (VPC).

Public Amazon MQ brokers can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your brokers through their public endpoints and this can increase the opportunity for malicious activity such as cross-site scripting (XSS) and clickjacking attacks.

Audit

To determine if your Amazon MQ brokers are publicly accessible, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to examine and click on the broker name (link) to access its configuration page.

05 On the MQ broker settings page, within Security and network section, check Public accessibility attribute value. If the configuration attribute value is set to Yes, the selected Amazon MQ broker is publicly accessible, outside of your Virtual Private Cloud (VPC), and exposed to numerous security risks.

06 Repeat step no. 4 and 5 for each Amazon MQ broker provisioned in the current region.

07 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the IDs of all existing MQ brokers available within your AWS account:

aws mq list-brokers
	--region us-east-1
	--query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs:

[
    "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd",
    "b-ccccdddd-eeee-ffff-gggg-ccccddddeeee"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to examine as identifier to determine if the selected AWS MQ broker is publicly accessible:

aws mq describe-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
	--query 'PubliclyAccessible'

04 The command output should return the setting status (true for enabled, false for disabled):

true

If the describe-broker command output returns true, as shown in the example above, the selected Amazon MQ broker is publicly accessible to the Internet and exposed to multiple security risks.

05 Repeat step no. 3 and 4 for each Amazon MQ broker available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To disable public accessibility for your existing Amazon MQ brokers, you must re-create them with the necessary configuration so that the brokers endpoints can be reachable only within your VPC. To relaunch the required MQ brokers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to re-create and click on the broker name (link) to access its configuration page.

05 On the MQ broker settings page, perform the following:

  1. Inside Details section, copy the broker configuration information such as Broker instance type, Deployment mode, Broker engine, Broker engine version, Configuration name and revision and so on.
  2. Within Users section, locate and copy the ActiveMQ Web Console access credentials.

06 Go back to the MQ brokers page and click Create broker to initiate the launch process.

07 On the Create a broker page, perform the following actions:

  1. Provide a unique name for the new broker in the Broker name box.
  2. Within Advanced settings section, select No for Public accessibility to restrict public access to the new MQ broker and make it available only within your VPC.
  3. Set the new broker configuration parameters using the information copied at step no. 5 a.
  4. Set the existing ActiveMQ Web Console access credentials copied at step no. 5 b.
  5. Click Create broker to launch the new MQ broker.

08 Once the new broker is created, you can replace the broker endpoint(s) within your application(s).

09 Now you can remove the source AWS MQ broker in order to stop incurring charges for it. To delete the publicly accessible broker, perform the following:

  1. Select the broker that you want to remove (see Audit section part I to identify the right MQ resource).
  2. Click the Delete button from the dashboard top menu.
  3. Within Delete broker <broker_name> dialog box, enter the phrase delete to confirm the action, then click the Delete button.

10 Repeat steps no. 4 – 9 to disable public accessibility for other AWS MQ brokers provisioned in the current region.

11 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected broker:

aws mq describe-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

02 The command output should return the configuration details for the selected AWS MQ broker:

{
    "MaintenanceWindowStartTime": {
        "DayOfWeek": "MONDAY",
        "TimeZone": "UTC",
        "TimeOfDay": "01:00"
    },
    "PubliclyAccessible": true,
    "EngineVersion": "5.15.0",
    "EngineType": "ActiveMQ",
    "DeploymentMode": "SINGLE_INSTANCE",

    ...

    "HostInstanceType": "mq.m4.large",
    "SubnetIds": [
        "subnet-ccccdddd"
    ],
    "AutoMinorVersionUpgrade": true,
    "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-mq-broker:b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "BrokerName": "cc-mq-broker",
    "SecurityGroups": [
        "sg-abcd1234"
    ]
}

03 Run create-broker command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the selected AWS MQ broker and make it accessible only within your VPC using --no-publicly-accessible parameter:

aws mq create-broker
	--region us-east-1
	--broker-name cc-internal-broker
	--configuration Id="c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",Revision=1
	--deployment-mode SINGLE_INSTANCE
	--engine-type ACTIVEMQ
	--engine-version 5.15.0
	--host-instance-type mq.m4.large
	--security-groups "sg-abcd1234"
	--subnet-ids "subnet-ccccdddd"
	--users ConsoleAccess=true,Username="ccuser",Password="ccpassword"
	--no-publicly-accessible

04 The command output should return the new MQ broker identifiers (ID and ARN):

{
    "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-internal-broker:b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd",
    "BrokerId": "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
}

05 Once the new broker is created, you can replace the necessary endpoint(s) within your application(s).

06 Now you can remove the source Amazon MQ broker in order to stop incurring charges for the resource. To remove the publicly accessible broker run delete-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to delete as parameter:

aws mq delete-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

07 The command output should return the ID of the MQ broker selected for deletion:

{
    "BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc"
}

08 Repeat steps no. 1 – 7 to disable public accessibility for other AWS MQ brokers available in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the entire process for other regions.

References

Publication date Dec 22, 2017