HIGH
Source
Trivy
ID
AVD-AWS-0072

Ensure MQ Broker is not publicly exposed

Public access of the MQ broker should be disabled and only allow routes to applications that require access.

Impact

Publicly accessible MQ Broker may be vulnerable to compromise

Follow the appropriate remediation steps below to resolve the issue.

Disable public access when not required

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
AWSTemplateFormatVersion: 2010-09-09
Description: Good example
Resources:
  Broker:
    Type: AWS::AmazonMQ::Broker
    Properties:
      PubliclyAccessible: false

Disable public access when not required

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
resource "aws_mq_broker" "good_example" {
  broker_name = "example"
  
  configuration {
    id       = aws_mq_configuration.test.id
    revision = aws_mq_configuration.test.latest_revision
  }
  
  engine_type        = "ActiveMQ"
  engine_version     = "5.15.0"
  host_instance_type = "mq.t2.micro"
  security_groups    = [aws_security_group.test.id]
  
  user {
    username = "ExampleUser"
    password = "MindTheGap"
  }
  publicly_accessible = false
}