MQ Has Automatic Minor Version Upgrades.
More Info:
This rule checks if automatic minor version upgrades are enabled for Amazon MQ brokers. The rule is NON_COMPLIANT if the ‘AutoMinorVersionUpgrade’ field is not enabled for an Amazon MQ broker.Risk Level
LowAddress
ConfigurationCompliance Standards
CBP,SEBITriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of having MQ (Message Queue) with automatic minor version upgrades enabled for AWS Security Groups using the AWS Management Console, follow these steps:
- Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in to your account.
- Navigate to Amazon MQ: Click on the “Services” dropdown menu at the top left corner of the console, then select “Amazon MQ” under the “Messaging” section.
- Select the Amazon MQ Instance: From the Amazon MQ dashboard, select the Amazon MQ instance for which you want to disable automatic minor version upgrades.
- Modify Configuration: In the Amazon MQ console, navigate to the “Configuration” tab for the selected Amazon MQ instance.
- Edit the Configuration: Click on the “Edit” button to modify the configuration settings of the Amazon MQ instance.
- Disable Automatic Minor Version Upgrades: Scroll down to the “Maintenance” section of the configuration settings. Look for the option related to automatic minor version upgrades and uncheck the box or toggle the setting to disable this feature.
- Save Changes: After disabling automatic minor version upgrades, click on the “Save Changes” or “Apply Changes” button to apply the new configuration settings to the Amazon MQ instance.
- Verify Configuration: Once the changes are saved, verify that automatic minor version upgrades are successfully disabled for the AWS Security Groups associated with the Amazon MQ instance.
Using CLI
Using CLI
To remediate the misconfiguration of having MQ Automatic Minor Version Upgrades enabled for AWS Security Groups using AWS CLI, you can follow these steps:
-
Identify the AWS Security Group associated with your MQ service:
- You can use the following AWS CLI command to list all the security groups associated with your MQ service:
- You can use the following AWS CLI command to list all the security groups associated with your MQ service:
-
Update the Security Group to block all outbound traffic to the internet:
- Use the following AWS CLI command to update the outbound rules of the Security Group associated with your MQ service to block all traffic to 0.0.0.0/0:
- Use the following AWS CLI command to update the outbound rules of the Security Group associated with your MQ service to block all traffic to 0.0.0.0/0:
-
Verify the changes:
- You can verify that the outbound rules have been updated successfully by describing the Security Group:
- You can verify that the outbound rules have been updated successfully by describing the Security Group:
-
Disable Automatic Minor Version Upgrades for your MQ Broker:
- Use the following AWS CLI command to update your MQ Broker configuration and disable Automatic Minor Version Upgrades:
- Use the following AWS CLI command to update your MQ Broker configuration and disable Automatic Minor Version Upgrades:
-
Verify the changes:
- You can verify that the Automatic Minor Version Upgrades setting has been disabled by describing the broker configuration:
- You can verify that the Automatic Minor Version Upgrades setting has been disabled by describing the broker configuration:
Using Python
Using Python
To remediate the misconfiguration of MQ having automatic minor version upgrades enabled for AWS Security Groups using Python, you can follow these steps:By following these steps, you can remediate the misconfiguration of MQ having automatic minor version upgrades enabled for AWS Security Groups using Python.
- Install Boto3: Ensure that you have Boto3 installed in your Python environment. Boto3 is the AWS SDK for Python that allows you to interact with AWS services.
- Write Python Script: Create a Python script that will disable automatic minor version upgrades for the MQ broker in the specified security group. Here is an example script to achieve this:
-
Replace the placeholders:
- Replace
YOUR_SECURITY_GROUP_IDwith the actual Security Group ID where the MQ broker is deployed. - Replace
YOUR_BROKER_IDwith the ID of the MQ broker for which you want to disable automatic minor version upgrades.
- Replace
- Run the Script: Execute the Python script to disable automatic minor version upgrades for the specified MQ broker in the Security Group.