Profile Applicability:
- Level 2
Description:
Amazon MQ brokers provide managed message broker services for applications that rely on message queuing systems like Apache ActiveMQ and RabbitMQ. Auto minor version upgrades ensure that your MQ broker is automatically upgraded to the latest minor version that includes bug fixes, improvements, and security patches without requiring manual intervention. Enabling auto minor version upgrades is essential for ensuring that the broker runs the latest stable and secure version.
Rationale:
Enabling auto minor version upgrades for Amazon MQ brokers ensures that your messaging service remains up to date with the latest bug fixes, security patches, and minor feature enhancements. This reduces the operational burden of manually upgrading the broker and helps maintain security, stability, and performance.
Impact:
Pros:
Automatically keeps the MQ broker up to date with the latest minor version, improving security and functionality.
Reduces operational overhead by eliminating the need for manual upgrades.
Helps comply with security best practices by ensuring the latest security patches are applied.
Cons:
Auto upgrades may cause temporary downtime as the broker is upgraded.
Upgrades could introduce unforeseen changes or compatibility issues, although these are typically minimal with minor version changes.
Default Value:
By default, Amazon MQ brokers do not have auto minor version upgrades enabled. It must be manually configured when creating or modifying the broker.
Pre-requisites:
AWS IAM permissions:
mq:DescribeBroker
mq:UpdateBrokerAccess to Amazon MQ and permissions to modify broker configurations.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon MQ and select Brokers from the left-hand menu.
Select the MQ broker you want to check.
Under the Configuration section, check if Auto Minor Version Upgrade is enabled.
If not enabled, click Edit and select the option to enable Auto Minor Version Upgrade.
Save the changes to enable auto minor version upgrades.
Using AWS CLI:
List all Amazon MQ brokers:
aws mq describe-brokers --query "BrokerSummaries[*].BrokerName"
For each broker, check if Auto Minor Version Upgrade is enabled:
aws mq describe-broker --broker-id <BROKER_ID> --query "Broker.AuditLogs"
If auto minor version upgrades are not enabled, modify the broker configuration to enable it:
aws mq update-broker --broker-id <BROKER_ID> --auto-minor-version-upgrade true
Implementation Plan:
Using AWS Console:
Open the Amazon MQ Console and select Brokers from the navigation pane.
Click on the desired broker to edit its settings.
Under the Broker Configuration section, check the Auto Minor Version Upgrade checkbox.
Save the changes to enable the automatic minor version upgrades.
Monitor the broker to ensure the auto upgrades are functioning as expected.
Using AWS CLI:
To enable auto minor version upgrades, run the following command:
aws mq update-broker --broker-id <BROKER_ID> --auto-minor-version-upgrade true
Verify the configuration by describing the broker:
aws mq describe-broker --broker-id <BROKER_ID>
Backout Plan:
Using AWS Console:
If auto minor version upgrades cause issues, sign in to the AWS Management Console.
Navigate to Amazon MQ and select the Broker.
Click Modify and disable Auto Minor Version Upgrades.
Save the changes and monitor the broker to ensure it continues to function as expected without automatic upgrades.
Using AWS CLI:
To disable auto minor version upgrades, run:
aws mq update-broker --broker-id <BROKER_ID> --auto-minor-version-upgrade false
Verify that the auto minor version upgrades are now disabled:
aws mq describe-broker --broker-id <BROKER_ID>
Reference:
CIS Controls: