Profile Applicability:

  • Level 2

Description:
Amazon MQ supports streaming audit logs to Amazon CloudWatch Logs to monitor the activity of message brokers. Audit logs contain valuable information about broker operations, such as access attempts, configuration changes, and security-related events. Enabling the streaming of these logs to CloudWatch allows you to easily monitor, store, and analyze log data, ensuring that potential security threats, system anomalies, or unauthorized actions are detected promptly.

Rationale:
Streaming audit logs to CloudWatch provides real-time visibility into the operations of your MQ brokers. This enhances the security of the messaging system by enabling centralized log management, anomaly detection, and troubleshooting. CloudWatch Logs also integrates with other AWS services such as AWS Lambda and Amazon SNS, allowing for automated responses and alerting for suspicious activities, thereby improving the overall security posture of your MQ brokers.

Impact:
 Pros:

  • Enables real-time monitoring of MQ broker activities through CloudWatch.

  • Enhances security by logging and analyzing system events.

  • Provides a centralized log management solution for easier troubleshooting and auditing.

  • Helps meet compliance requirements for logging and security event tracking.

  • Supports integration with AWS services like Lambda and SNS for automated responses and alerts.

Cons:

  • Can result in additional costs for CloudWatch Log storage, especially if the logs accumulate over time.

  • Requires proper log management to ensure that logs are reviewed and not lost.

  • Might introduce slight overhead for log processing depending on the volume of events.

Default Value:
By default, MQ brokers do not stream audit logs to CloudWatch. This needs to be manually configured for each broker.

Pre-requisites:

  • AWS IAM permissions to manage CloudWatch Logs and MQ brokers:
     mq:DescribeBroker
     mq:UpdateBroker
     logs:CreateLogGroup
     logs:CreateLogStream
     logs:PutLogEvents

  • Access to Amazon MQ and CloudWatch to configure log streaming.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon MQ.

  3. In the left-hand menu, select Brokers.

  4. Choose the MQ broker you want to review.

  5. In the Broker details section, check if Audit Logs are streaming to CloudWatch under the Log settings section.

  6. If logs are not configured to stream to CloudWatch, click Modify and enable the Audit Logs setting.

  7. Save the changes, and ensure that logs are now being streamed to CloudWatch Logs.

Using AWS CLI:

  1. List all MQ brokers:

    aws mq describe-brokers

  2. For each broker, check if CloudWatch Logs are configured:

    aws mq describe-broker --broker-id <BROKER_ID>

  3.  In the output, check the Logs field under Audit Logs Configuration. Ensure it is configured to stream to CloudWatch Logs.

  4. To enable the streaming of audit logs to CloudWatch, update the broker:

    aws mq update-broker --broker-id <BROKER_ID> --audit-logging-enabled true --cloudwatch-log-group <LOG_GROUP_NAME>

  5. Verify that audit logs are being streamed to CloudWatch:

    aws mq describe-broker --broker-id <BROKER_ID>

Implementation Plan:

Using AWS Console:

  1. Open the Amazon MQ Console and navigate to Brokers.

  2. Select the MQ broker you want to configure.

  3. In the Log settings section, enable Audit Logs and select the CloudWatch Log Group for storing logs.

  4. Save the changes and ensure that audit logs are now streaming to CloudWatch.

Using AWS CLI:

  1. To enable CloudWatch Logs for audit logging on an MQ broker, run:

    aws mq update-broker --broker-id <BROKER_ID> --audit-logging-enabled true --cloudwatch-log-group <LOG_GROUP_NAME>

  2. Verify that audit logs are now being streamed to CloudWatch:

    aws mq describe-broker --broker-id <BROKER_ID>

Backout Plan:

Using AWS Console:

  1. If streaming audit logs to CloudWatch causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon MQ and select the MQ broker to modify.

  3. Click Modify and disable the Audit Logs setting or modify the CloudWatch Log Group to a different configuration.

  4. Save the changes and monitor the broker to ensure it functions correctly without streaming audit logs.

Using AWS CLI:

  1. To disable audit logs streaming to CloudWatch, run:

    aws mq update-broker --broker-id <BROKER_ID> --audit-logging-enabled false

  2. Verify that the broker no longer streams logs to CloudWatch:

    aws mq describe-broker --broker-id <BROKER_ID>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that MQ brokers stream audit logs to CloudWatch Logs for monitoring and analysis of broker activities.

7.1

8.1

Enable CloudWatch Logs for MQ brokers to ensure that audit data is securely stored and can be reviewed for security events.