Profile Applicability:

  • Level 2

Description:
Apache ActiveMQ is a popular open-source messaging broker. Active/standby mode refers to a deployment configuration where one ActiveMQ broker is actively processing messages, and a standby broker is ready to take over in case of a failure. This configuration ensures high availability and fault tolerance for the messaging system, minimizing downtime and service disruption. It is important to ensure that ActiveMQ brokers are configured in active/standby mode to provide continuous messaging services and protect against broker failure.

Rationale:
Configuring ActiveMQ brokers in active/standby mode ensures that there is no single point of failure in the messaging system. If the active broker fails, the standby broker automatically takes over without interrupting message delivery. This configuration provides high availability and ensures that the messaging service remains operational even during system failures. Active/standby mode is crucial for mission-critical applications that rely on continuous message processing.

Impact:
 Pros:

  • Provides high availability for the messaging system by ensuring automatic failover.

  • Ensures continuous message delivery even if the primary broker fails.

  • Reduces downtime and service disruptions by allowing the standby broker to take over seamlessly.

  • Enhances fault tolerance and improves overall system reliability.

Cons:

  • Requires additional resources to maintain the standby broker.

  • May introduce slight overhead due to the replication of messages and state between the active and standby brokers.

  • Increased complexity in the setup and management of the ActiveMQ brokers.

Default Value:
By default, Apache ActiveMQ brokers are not configured in active/standby mode. You need to explicitly configure the brokers to ensure high availability using Master/Slave or Shared Store configurations.

Pre-requisites:

  • AWS IAM permissions to manage Amazon MQ and Apache ActiveMQ configurations:
     mq:DescribeBroker
     mq:UpdateBroker

  • Access to Apache ActiveMQ broker configurations for enabling active/standby mode.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon MQ.

  3. In the left-hand menu, select Brokers.

  4. Choose the Apache ActiveMQ broker you want to configure.

  5. Check the Deployment mode to verify if the broker is in active/standby mode. For ActiveMQ, this is often labeled as Master/Slave configuration in the settings.

  6. If the broker is not in active/standby mode, click Modify and enable Master/Slave or Shared Store configuration.

  7. Save the changes and verify that the broker is now configured for active/standby mode.

Using AWS CLI:

  1. List all Apache ActiveMQ brokers:

    aws mq describe-brokers

  2. For each broker, check the Deployment Mode:

    aws mq describe-broker --broker-id <BROKER_ID>

  3. In the output, check the DeploymentMode field. If it is set to SINGLE_INSTANCE, the broker is not in active/standby mode.

  4. To update the broker to active/standby mode (Master/Slave), run:

    aws mq update-broker --broker-id <BROKER_ID> --deployment-mode CLUSTER

  5. Verify that the broker is now in active/standby mode:

    aws mq describe-broker --broker-id <BROKER_ID>

Implementation Plan:

Using AWS Console:

  1. Open the Amazon MQ Console and navigate to Brokers.

  2. Select the Apache ActiveMQ broker to modify.

  3. Under the Deployment Mode, select Master/Slave or Shared Store configuration for high availability.

  4. Save the changes and ensure that the broker is now in active/standby mode.

Using AWS CLI:

  1. To configure the broker to active/standby mode (Master/Slave), run the following command:

    aws mq update-broker --broker-id <BROKER_ID> --deployment-mode CLUSTER

  2. Verify that the configuration is applied:

    aws mq describe-broker --broker-id <BROKER_ID>

Backout Plan:

Using AWS Console:

  1. If active/standby configuration causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon MQ and select the Apache ActiveMQ broker.

  3. Click Modify and change the Deployment Mode to Single Instance to revert to a non-clustered configuration.

  4. Save the changes and monitor the broker to ensure it continues to function correctly.

Using AWS CLI:

  1. To revert the broker to a Single Instance mode, run:

    aws mq update-broker --broker-id <BROKER_ID> --deployment-mode SINGLE_INSTANCE

  2. Verify the changes:

    aws mq describe-broker --broker-id <BROKER_ID>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that Apache ActiveMQ brokers are configured in active/standby mode to provide high availability and fault tolerance.

7.1

8.1

Enable Master/Slave or Shared Store configuration for Apache ActiveMQ brokers to ensure continuous availability during failures.