Ensure that the AWS MQ brokers provisioned in your AWS account are not publicly accessible from the Internet in order to avoid exposing sensitive data and minimize security risks. The level of access to your MQ brokers depends on their use cases, however, for most use cases Cloud Conformity recommends that the MQ brokers should be privately accessible only from within your AWS Virtual Private Cloud (VPC).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Public Amazon MQ brokers can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your brokers through their public endpoints and this can increase the opportunity for malicious activity such as cross-site scripting (XSS) and clickjacking attacks.
To determine if your Amazon MQ brokers are publicly accessible, perform the following actions:
To disable public accessibility for your existing Amazon MQ brokers, you must re-create them with the necessary configuration so that the brokers endpoints can be reachable only within your VPC. To relaunch the required MQ brokers, perform the following: