MQ Broker Should Not Be Publicly Accessible

More Info:

MQ brokers should not be launched into public cloud. Unless there is a specific business requirement, MQ Brokers should not have a public endpoint and should be accessed from within a VPC only.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR, HITRUST, SOC2

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of making an MQ Broker publicly accessible in AWS using AWS CLI, you can follow these steps:

List the existing security groups associated with your MQ Broker:

aws mq list-brokers

Identify the security group associated with the MQ Broker that is publicly accessible:

aws mq describe-broker --broker-id <your-broker-id>

Note down the Security Group ID associated with the MQ Broker.
Update the inbound rules of the Security Group to restrict access only to the necessary IP addresses or CIDR blocks. Replace <security-group-id> with the Security Group ID noted in step 3 and <your-ip> with your IP address:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 8162 --cidr <your-ip>/32

Verify that the inbound rule has been updated successfully:

aws ec2 describe-security-groups --group-ids <security-group-id>

Repeat steps 4 and 5 for any other necessary ports (e.g., 61614 for AMQP, 5671 for MQTT, etc.) to ensure that only the required ports are accessible.

By following these steps, you can remediate the misconfiguration of making an MQ Broker publicly accessible in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of an MQ Broker being publicly accessible in AWS using Python, you can follow these steps:

Identify the Security Group: First, you need to identify the Security Group associated with the MQ Broker.
Update Security Group Rules: You will need to update the inbound rules of the Security Group to restrict access to the MQ Broker to only the necessary IP addresses or ranges.
Revoke Public Access: Remove the existing rule that allows public access to the MQ Broker.

Here is a sample Python script to achieve this:

import boto3

# Define the region and the security group ID associated with the MQ Broker
region = 'your_region'
security_group_id = 'your_security_group_id'

# Create a Boto3 client for EC2
ec2_client = boto3.client('ec2', region_name=region)

# Revoke the existing rule that allows public access to the MQ Broker
response = ec2_client.revoke_security_group_ingress(
    GroupId=security_group_id,
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 8161,  # Assuming default port for MQ Broker
            'ToPort': 8161,
            'IpRanges': [{'CidrIp': '0.0.0.0/0'}]  # Restrict this as per your requirement
        }
    ]
)

print("Public access to the MQ Broker has been revoked.")

Make sure to replace 'your_region' and 'your_security_group_id' with the appropriate values for your environment.After running this script, the Security Group associated with the MQ Broker will be updated to revoke public access, thereby remedying the misconfiguration of the MQ Broker being publicly accessible in AWS.

Additional Reading:

https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/accessing-web-console-of-broker-without-public-accessibility.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

MQ Broker Should Not Be Publicly Accessible

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: