MQ Deployment Mode
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your AWS MQ brokers are using the active/standby deployment mode for high availability. The MQ active/standby deployment mode includes two broker instances configured in a redundant pair. To implement this model, AWS MQ service creates a single broker instance in one Availability Zone (AZ) and another standby broker instance in a different AZ. The broker instances communicate with your web application, with each other, and with a shared AWS storage location.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With the active/standby deployment mode enabled, as opposed to the single-broker mode (enabled by default), you can achieve high availability for your Amazon MQ brokers as the service provides automatic failover capability.
To determine the deployment mode for your AWS MQ brokers, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.
03 In the navigation panel, under Amazon MQ, click Brokers.
04 Choose the MQ broker that you want to examine and click on the broker name (link) to access its settings page.
05 On the MQ broker configuration page, within Specifications section, check Deployment Mode attribute value to determine the current deployment mode used by the selected broker. If the configuration attribute value is set to Single-instance broker, the active/standby deployment mode is not enabled for the selected AWS MQ broker, therefore the broker is not configured for high availability.
06 Repeat step no. 4 and 5 to verify the deployment mode for other AWS MQ brokers available within the current region.
07 Change the AWS region from the navigation bar to repeat the audit process for other regions.
01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the IDs of all existing MQ brokers available within your AWS account:
aws mq list-brokers --region us-east-1 --query 'BrokerSummaries[*].BrokerId'
02 The command output should return the requested MQ broker IDs:
[
"b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
"b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
]
03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to examine as identifier to determine the deployment mode used by the selected AWS MQ broker:
aws mq describe-broker --region us-east-1 --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc --query 'DeploymentMode'
04 The command output should return the name of the deployment mode currently in use:
"SINGLE_INSTANCE"
05 Repeat step no. 3 and 4 to verify the deployment mode for other AWS MQ brokers available within the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.
To enable active/standby deployment mode for your existing Amazon MQ brokers, you must re-create them with the necessary high availability configuration. To relaunch the required MQ brokers, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.
03 In the navigation panel, under Amazon MQ, click Brokers.
04 Choose the MQ broker that you want to re-create and click on the broker name (link) to access its configuration page.
05 On the MQ broker settings page, perform the following:
06 Go back to the MQ brokers page and click Create broker to initiate the launch process.
07 On the Create a broker page, perform the following actions:
08 Once the new broker is created, you can replace the necessary endpoint(s) within your application(s).
09 Now it is safe to remove the source AWS MQ broker in order to stop incurring charges for it. To delete the single-instance broker, perform the following:
10 Repeat steps no. 4 – 9 to enable active/standby deployment mode for other AWS MQ brokers provisioned in the current region.
11 Change the AWS region from the navigation bar to repeat the entire process for other regions.
01 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected (single-instance) broker:
aws mq describe-broker --region us-east-1 --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
02 The command output should return the configuration details for the selected AWS MQ broker:
{
"MaintenanceWindowStartTime": {
"DayOfWeek": "MONDAY",
"TimeZone": "UTC",
"TimeOfDay": "01:00"
},
"PubliclyAccessible": true,
"EngineVersion": "5.15.0",
"EngineType": "ActiveMQ",
"DeploymentMode": "SINGLE_INSTANCE",
...
"HostInstanceType": "mq.m4.large",
"SubnetIds": [
"subnet-ddddeeee"
],
"AutoMinorVersionUpgrade": false,
"BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-prod-broker:b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
"BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
"BrokerName": "cc-prod-broker",
"SecurityGroups": [
"sg-abcd1234"
]
}
03 Run create-broker command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the selected AWS MQ broker in two different Availability Zones (AZs) by enabling the active/standby deployment mode with the --deployment-mode parameter value set to ACTIVE_STANDBY_MULTI_AZ:
aws mq create-broker --region us-east-1 --broker-name cc-ha-prod-broker --configuration Id="c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",Revision=1 --deployment-mode ACTIVE_STANDBY_MULTI_AZ --engine-type ACTIVEMQ --engine-version 5.15.0 --host-instance-type mq.m4.large --security-groups "sg-abcd1234" --subnet-ids "subnet-aaaabbbb" "subnet-ddddeeee" --users ConsoleAccess=true,Username="brokeruser",Password="brokerpasswd" --publicly-accessible --auto-minor-version-upgrade
04 The command output should return the new MQ broker identifiers (ID and ARN):
{
"BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-ha-prod-broker:b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd",
"BrokerId": "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
}
05 Once the new broker is created, you can replace the necessary endpoint(s) within your application(s).
06 Now it is safe to remove the source Amazon MQ broker in order to stop incurring charges for the resource. To terminate the single-instance broker run delete-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to delete as command parameter:
aws mq delete-broker --region us-east-1 --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
07 The command output should return the ID of the MQ broker selected for deletion:
{
"BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc"
}
08 Repeat steps no. 1 – 7 to enable active/standby deployment mode for other AWS MQ brokers provisioned in the current region.
09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the remediation/resolution process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat