Profile Applicability:
- Level 2
Description:
Amazon MQ provides a managed message broker service for popular messaging protocols like ActiveMQ and RabbitMQ. By default, MQ brokers can be configured to be publicly accessible, meaning they are reachable over the public internet. It is crucial for security that MQ brokers are not publicly accessible to prevent unauthorized access, data breaches, or security vulnerabilities. Configuring brokers to be private ensures that they are only accessible from within a trusted network or VPC.
Rationale:
Allowing public access to MQ brokers exposes sensitive data and messaging operations to the public internet, increasing the risk of attacks. By disabling public access, you ensure that the broker can only be accessed through a VPC, ensuring that only authorized users and applications can access it. This setup helps mitigate the risk of unauthorized access and data leakage, ensuring better security for messaging systems.
Impact:
Pros:
Prevents unauthorized access to MQ brokers, reducing the attack surface.
Enhances security by isolating the broker within a VPC, restricting access to trusted users and services.
Helps meet security standards and compliance regulations that require the use of private networks.
Reduces the potential for data breaches or other malicious activities.
Cons:
Requires proper VPC configuration and management.
Potentially introduces the need for VPN or VPC peering to allow access to the broker from external sources.
Default Value:
By default, Amazon MQ brokers can be publicly accessible. However, this can be disabled during broker setup or later by modifying the broker settings.
Pre-requisites:
AWS IAM permissions to manage MQ brokers and VPC configurations:
mq:DescribeBroker
mq:ModifyBrokerAccess to VPC and security group settings for controlling access to the broker.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon MQ.
In the left-hand menu, select Brokers.
Select the MQ broker you want to review.
Under the Broker details section, check the Publicly Accessible field.
If set to Yes, the broker is publicly accessible.
If set to No, the broker is not publicly accessible.
If Publicly Accessible is set to Yes, click Modify, change the Publicly Accessible setting to No, and save the changes.
Verify that the broker is now not publicly accessible.
Using AWS CLI:
List all MQ brokers:
aws mq describe-brokers
For each broker, check the Publicly Accessible setting:
aws mq describe-broker --broker-id <BROKER_ID>
In the output, check the PubliclyAccessible field. If it is set to true, the broker is publicly accessible.
To disable public access, update the broker:
aws mq update-broker --broker-id <BROKER_ID> --publicly-accessible false
Verify that the broker is now configured with public access disabled:
aws mq describe-broker --broker-id <BROKER_ID>
Implementation Plan:
Using AWS Console:
Open the Amazon MQ Console and navigate to Brokers.
Select the MQ broker that you want to modify.
In the Broker details section, change the Publicly Accessible setting to No.
Save the changes and ensure that the broker is no longer publicly accessible.
Using AWS CLI:
To update the broker and disable public access, run the following command:
aws mq update-broker --broker-id <BROKER_ID> --publicly-accessible false
Verify the change:
aws mq describe-broker --broker-id <BROKER_ID>
Backout Plan:
Using AWS Console:
If disabling public access causes issues, sign in to the AWS Management Console.
Navigate to Amazon MQ and select the MQ broker to modify.
Click Modify and change the Publicly Accessible setting back to Yes.
Save the changes and verify that the broker is now publicly accessible.
Using AWS CLI:
To re-enable public access for the broker, run:
aws mq update-broker --broker-id <BROKER_ID> --publicly-accessible true
Verify the change:
aws mq describe-broker --broker-id <BROKER_ID>
Reference:
CIS Controls: