Logo of Trend Micro

MQ Log Exports

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: MQ-005

Ensure that your Amazon MQ brokers have Log Exports feature enabled in order to publish your broker log events directly to AWS CloudWatch Logs. By publishing broker logs to AWS CloudWatch, you can have richer and more seamless interactions with your MQ broker logs using AWS services. The Log Exports feature supports the following log types:

General log – enables the default ActiveMQ INFO logging level and publishes activemq.log to an Amazon CloudWatch log group available in your account.

Audit log – enables logging of management actions taken using JMX or using the ActiveMQ Web Console and publishes audit.log to a CloudWatch log group in your AWS account.

Cloud Conformity strongly recommends that you select both general and audit logs for publishing to AWS CloudWatch Logs when enabling Log Exports feature.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security
Reliability
Performance
efficiency
Operational
excellence

Amazon MQ is integrated with AWS CloudWatch Logs, a service that monitors, stores and accesses your log files from a variety of sources within your AWS account. Once the Log Exports feature is enabled, Amazon MQ publish general and audit logs to AWS CloudWatch Logs, allowing you to maintain continuous visibility into your brokers activity and meet compliance requirements when it comes to auditing.

Audit

To determine if your AWS MQ brokers are using Log Exports feature to publish logs to Amazon CloudWatch Logs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to examine and click on the broker name (link) to access its configuration page.

05 On the selected MQ broker settings page, under Details, within CloudWatch Logs section, check the configuration status available for both General and Audit logs. If their status is Disabled, the Log Exports feature is not enabled for the selected Amazon MQ broker, therefore the ActiveMQ general and audit logging data is not published to AWS CloudWatch Logs.

06 Repeat step no. 4 and 5 to verify the Log Exports feature status for other AWS MQ brokers available in the current region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the IDs of all existing Amazon MQ brokers available in the selected region: 

aws mq list-brokers
	--region us-east-1
	--query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs: 

[
    "b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
    "b-aaaabbbb-aaaa-bbbb-aaaa-aaaabbbbaabb"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to examine as identifier to expose the Log Exports feature status (i.e. General and Audit logs configuration) for the selected Amazon MQ broker: 

aws mq describe-broker
	--region us-east-1
	--broker-id b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
	--query 'Logs.{General: General, Audit: Audit}'

04 The command output should return the requested logs configuration (true for enabled, false for disabled): 

{
    "Audit": false,
    "General": false
}

If the describe-broker command output returns false for both Audit and General logs, as shown in the example above, the Log Exports feature is not enabled for the selected AWS MQ broker, therefore the ActiveMQ logging data is not published to Amazon CloudWatch Logs.

05 Repeat step no. 3 and 4 for each Amazon MQ broker available within the selected region to determine the Log Exports feature status.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Log Exports feature for your existing Amazon MQ brokers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Select the MQ broker that you want to reconfigure (see Audit section part I to identify the right MQ resource).

05 Click the Edit button from the dashboard top menu to access the broker configuration panel.

06 Within CloudWatch Logs section, select General and Audit checkboxes to enable log publishing to Amazon CloudWatch Logs. Note: To allow Amazon MQ to post general and audit logs to AWS CloudWatch Logs, you have to define a resource-based policy to give Amazon MQ access to "CreateLogStream" and "PutLogEvents" CloudWatch API actions, i.e.: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "mq.amazonaws.com"
      },
      "Action":[
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
    }
  ]
}

07 Click Schedule modifications button to continue the configuration process.

08 On Schedule broker modifications page, perform one of the following actions based on your requirements:

  1. Select After the next reboot to apply the changes automatically during the next scheduled maintenance window. You can also reboot your MQ broker manually.
  2. Select Immediately to apply the changes right away. Applying changes immediately reboots your MQ broker, hence all incoming and outgoing connections are severed.

09 Click Apply to save and apply your configuration changes.

10 Repeat steps no. 4 – 9 to enable Log Exports feature for other Amazon MQ brokers available in the current region.

11 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 To allow Amazon MQ to post general and audit logs to AWS CloudWatch Logs, you must define first a resource-based policy to give Amazon MQ access to "CreateLogStream" and "PutLogEvents" CloudWatch API actions. To create the required resource-based policy, run put-resource-policy command (OSX/Linux/UNIX) as follows: 

aws logs put-resource-policy
	--region us-east-1
	--policy-name cc-amazon-mq-logs
	--policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" }, "Action": [ "logs:PutLogEvents", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }'

02 The command output should return the put-resource-policy command request metadata (including the newly created policy): 

{
    "resourcePolicy": {
        "policyName": "cc-amazon-mq-logs",
        "policyDocument": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"mq.amazonaws.com\" }, \"Action\": [ \"logs:PutLogEvents\", \"logs:CreateLogStream\" ], \"Resource\": \"arn:aws:logs:*:*:log-group:/aws/amazonmq/*\" } ] }",
        "lastUpdatedTime": 1548322140377
    }
}

03 Run update-broker command (OSX/Linux/UNIX) to enable Log Exports feature (i.e. publishing broker logs to AWS CloudWatch) for the selected Amazon MQ broker (see Audit section part II to identify the right broker): 

aws mq update-broker
	--region us-east-1
	--broker-id b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd
	--logs Audit=true,General=true

04 The command output should return the command request metadata: 

{
    "BrokerId": "b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd",
    "Logs": {
        "Audit": true,
        "General": true
    }
}

05 (Optional) Run reboot-broker command (OSX/Linux/UNIX) if you want to apply the configuration changes immediately by rebooting the selected AWS MQ broker (the command does not produce an output): 

aws mq reboot-broker
	--region us-east-1
	--broker-id b-abcdabcd-abcd-abcd-abcd-abcdabcdabcd

06 Repeat steps no. 3 – 5 to enable Log Exports feature for other Amazon MQ brokers available within the selected region.

07 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Jan 27, 2019

Related MQ rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

MQ Log Exports

Risk level: Low