|
MQ Log Exports
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Ensure that your Amazon MQ brokers have Log Exports feature enabled in order to publish your broker log events directly to AWS CloudWatch Logs. By publishing broker logs to AWS CloudWatch, you can have richer and more seamless interactions with your MQ broker logs using AWS services. The Log Exports feature supports the following log types:
General log – enables the default ActiveMQ INFO logging level and publishes activemq.log to an Amazon CloudWatch log group available in your account.
Audit log – enables logging of management actions taken using JMX or using the ActiveMQ Web Console and publishes audit.log to a CloudWatch log group in your AWS account.
Cloud Conformity strongly recommends that you select both general and audit logs for publishing to AWS CloudWatch Logs when enabling Log Exports feature.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Amazon MQ is integrated with AWS CloudWatch Logs, a service that monitors, stores and accesses your log files from a variety of sources within your AWS account. Once the Log Exports feature is enabled, Amazon MQ publish general and audit logs to AWS CloudWatch Logs, allowing you to maintain continuous visibility into your brokers activity and meet compliance requirements when it comes to auditing.
To determine if your AWS MQ brokers are using Log Exports feature to publish logs to Amazon CloudWatch Logs, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.
03 In the navigation panel, under Amazon MQ, click Brokers.
04 Choose the MQ broker that you want to examine and click on the broker name (link) to access its configuration page.
05 On the selected MQ broker settings page, under Details, within CloudWatch Logs section, check the configuration status available for both General and Audit logs. If their status is Disabled, the Log Exports feature is not enabled for the selected Amazon MQ broker, therefore the ActiveMQ general and audit logging data is not published to AWS CloudWatch Logs.
06 Repeat step no. 4 and 5 to verify the Log Exports feature status for other AWS MQ brokers available in the current region.
07 Change the AWS region from the navigation bar and repeat the process for other regions.
01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the IDs of all existing Amazon MQ brokers available in the selected region:
aws mq list-brokers --region us-east-1 --query 'BrokerSummaries[*].BrokerId'
02 The command output should return the requested MQ broker IDs:
[
"b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
"b-aaaabbbb-aaaa-bbbb-aaaa-aaaabbbbaabb"
]
03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to examine as identifier to expose the Log Exports feature status (i.e. General and Audit logs configuration) for the selected Amazon MQ broker:
aws mq describe-broker
--region us-east-1
--broker-id b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
--query 'Logs.{General: General, Audit: Audit}'
04 The command output should return the requested logs configuration (true for enabled, false for disabled):
{
"Audit": false,
"General": false
}
05 Repeat step no. 3 and 4 for each Amazon MQ broker available within the selected region to determine the Log Exports feature status.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.
To enable Log Exports feature for your existing Amazon MQ brokers, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.
03 In the navigation panel, under Amazon MQ, click Brokers.
04 Select the MQ broker that you want to reconfigure (see Audit section part I to identify the right MQ resource).
05 Click the Edit button from the dashboard top menu to access the broker configuration panel.
06 Within CloudWatch Logs section, select General and Audit checkboxes to enable log publishing to Amazon CloudWatch Logs. Note: To allow Amazon MQ to post general and audit logs to AWS CloudWatch Logs, you have to define a resource-based policy to give Amazon MQ access to "CreateLogStream" and "PutLogEvents" CloudWatch API actions, i.e.:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "mq.amazonaws.com"
},
"Action":[
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
}
]
}
07 Click Schedule modifications button to continue the configuration process.
08 On Schedule broker modifications page, perform one of the following actions based on your requirements:
09 Click Apply to save and apply your configuration changes.
10 Repeat steps no. 4 – 9 to enable Log Exports feature for other Amazon MQ brokers available in the current region.
11 Change the AWS region from the navigation bar and repeat the process for other regions.
01 To allow Amazon MQ to post general and audit logs to AWS CloudWatch Logs, you must define first a resource-based policy to give Amazon MQ access to "CreateLogStream" and "PutLogEvents" CloudWatch API actions. To create the required resource-based policy, run put-resource-policy command (OSX/Linux/UNIX) as follows:
aws logs put-resource-policy
--region us-east-1
--policy-name cc-amazon-mq-logs
--policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" }, "Action": [ "logs:PutLogEvents", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }'
02 The command output should return the put-resource-policy command request metadata (including the newly created policy):
{
"resourcePolicy": {
"policyName": "cc-amazon-mq-logs",
"policyDocument": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"mq.amazonaws.com\" }, \"Action\": [ \"logs:PutLogEvents\", \"logs:CreateLogStream\" ], \"Resource\": \"arn:aws:logs:*:*:log-group:/aws/amazonmq/*\" } ] }",
"lastUpdatedTime": 1548322140377
}
}
03 Run update-broker command (OSX/Linux/UNIX) to enable Log Exports feature (i.e. publishing broker logs to AWS CloudWatch) for the selected Amazon MQ broker (see Audit section part II to identify the right broker):
aws mq update-broker --region us-east-1 --broker-id b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd --logs Audit=true,General=true
04 The command output should return the command request metadata:
{
"BrokerId": "b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
"Logs": {
"Audit": true,
"General": true
}
}
05 (Optional) Run reboot-broker command (OSX/Linux/UNIX) if you want to apply the configuration changes immediately by rebooting the selected AWS MQ broker (the command does not produce an output):
aws mq reboot-broker --region us-east-1 --broker-id b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
06 Repeat steps no. 3 – 5 to enable Log Exports feature for other Amazon MQ brokers available within the selected region.
07 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat