Use the Conformity Knowledge Base AI to help improve your Cloud Posture

MQ Deployment Mode

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: MQ-003

Ensure that your Amazon MQ brokers are using the active/standby deployment mode for high availability. The MQ active/standby deployment mode includes two broker instances configured in a redundant pair. To implement this model, Amazon MQ service creates a single broker instance in one Availability Zone (AZ) and another standby broker instance in a different AZ. The broker instances communicate with your web application, with each other, and with a shared AWS storage location.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

With the active/standby deployment mode enabled, as opposed to the single-broker mode (enabled by default), you can achieve high availability for your Amazon MQ brokers as the service provides automatic failover capability.


Audit

To determine the deployment mode for your Amazon MQ brokers, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MQ console at https://console.aws.amazon.com/amazon-mq/.

03 In the main navigation panel, under Amazon MQ, click Brokers.

04 Click on the name (link) of the MQ broker that you want to examine.

05 In the Details section, check the Deployment mode attribute value listed under Specifications to determine the deployment mode used by the selected MQ broker. If the attribute value is set to Single-instance broker, the active/standby deployment mode is not enabled for the selected Amazon MQ broker, therefore your broker is not configured for high availability.

06 Repeat steps no. 4 and 5 for each Amazon MQ broker available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon MQ brokers available in the selected AWS region:

aws mq list-brokers
  --region us-east-1
  --query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs:

[
	"b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
	"b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the Amazon MQ broker that you want to examine as the identifier parameter, to describe the deployment mode used by the selected MQ broker:

aws mq describe-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
  --query 'DeploymentMode'

04 The command output should return the deployment mode used by the specified broker:

"SINGLE_INSTANCE"

If the describe-broker command output returns "SINGLE_INSTANCE", as shown in the output example above, the active/standby deployment mode is not enabled for the selected Amazon MQ broker, therefore your broker is not configured for high availability.

05 Repeat steps no. 4 and 5 for each Amazon MQ broker available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

Remediation / Resolution

To enable the active/standby deployment mode for your existing Amazon MQ brokers, you must re-create your brokers with a high-availability (HA) configuration. To relaunch your MQ brokers, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Multi-AZ Deployment Mode",
	"Resources": {
		"MQBroker": {
			"Type": "AWS::AmazonMQ::Broker",
			"Properties": {
				"BrokerName": "cc-ha-production-broker",
				"EngineType": "ActiveMQ",
				"EngineVersion": "5.15.0",
				"HostInstanceType": "mq.m5.large",
				"AutoMinorVersionUpgrade": "true",
				"PubliclyAccessible": "false",
				"SecurityGroups": [
					"sg-01234abcd1234abcd"
				],
				"Users": [
					{
						"Password": "brokeruser",
						"Username": "brokerpassword"
					}
				],
				"SubnetIds": [
					"subnet-0abcd1234abcd1234",
					"subnet-01234abcd1234abcd"
				],
				"DeploymentMode": "ACTIVE_STANDBY_MULTI_AZ"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Multi-AZ Deployment Mode
	Resources:
	MQBroker:
		Type: AWS::AmazonMQ::Broker
		Properties:
			BrokerName: cc-ha-production-broker
			EngineType: ActiveMQ
			EngineVersion: 5.15.0
			HostInstanceType: mq.m5.large
			AutoMinorVersionUpgrade: 'true'
			PubliclyAccessible: 'false'
			SecurityGroups:
				- sg-01234abcd1234abcd
			Users:
				- Password: brokeruser
				Username: brokerpassword
			SubnetIds:
				- subnet-0abcd1234abcd1234
				- subnet-01234abcd1234abcd
			DeploymentMode: ACTIVE_STANDBY_MULTI_AZ

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_mq_broker" "mq-broker" {
	broker_name                = "cc-internal-broker"
	engine_type                = "ActiveMQ"
	engine_version             = "5.15.0"
	host_instance_type         = "mq.m5.large"
	auto_minor_version_upgrade = true
	publicly_accessible        = false
	security_groups            = ["sg-01234abcd1234abcd"]
	user {
		username = "brokeruser"
		password = "brokerpassword"
	}

	# Multi-AZ Deployment Mode
	subnet_ids      = ["subnet-0abcd1234abcd1234","subnet-01234abcd1234abcd"]
	deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MQ console at https://console.aws.amazon.com/amazon-mq/.

03 In the main navigation panel, under Amazon MQ, click Brokers.

04 Click on the name (link) of the MQ broker that you want to re-create.

05 On the selected MQ broker page, collect the broker configuration information such as Broker instance type, Broker engine, Broker engine version, Configuration name and revision, Security and network information, and Maintenance information, as well as the user and tagging information available in the Users and Tags sections.

06 Navigate back to the Brokers listing page and choose Create brokers to initiate the setup process.

07 For Step 1 Select broker engine, choose Apache ActiveMQ for the broker engine type. Choose Next to continue the setup process.

08 For Step 2 Select deployment and storage type, select Active/standby broker for Deployment mode to enable the active/standby deployment mode for the new Amazon MQ broker. Choose Next to continue the broker setup.

09 For Step 3 Configure settings, provide a unique name for the new broker, and configure the required settings for your new MQ broker using the configuration, tagging, and user information collected at step no. 5. Choose Next to continue.

10 For Step 4 Review and create, review the broker configuration information and choose Create broker to launch your new Amazon MQ broker.

11 After the new MQ broker is created, you can replace the broker endpoint(s) within your application.

12 If required, repeat steps no. 4 – 11 to enable the active/standby deployment mode for each Amazon MQ broker available within the current AWS region.

13 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run describe-broker command (OSX/Linux/UNIX) using the ID of the Amazon MQ broker that you want to relaunch as the identifier parameter, to describe the configuration information for the specified (single-instance) broker:

aws mq describe-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

02 The command output should return the configuration information available for the selected MQ broker:

{
	"MaintenanceWindowStartTime": {
		"DayOfWeek": "MONDAY",
		"TimeZone": "UTC",
		"TimeOfDay": "01:00"
	},
	"PubliclyAccessible": true,
	"EngineVersion": "5.15.0",
	"EngineType": "ActiveMQ",
	"DeploymentMode": "SINGLE_INSTANCE",


	...

	"HostInstanceType": "mq.m5.large",
	"SubnetIds": [
		"subnet-0abcd1234abcd1234",
		"subnet-01234abcd1234abcd"
	],
	"AutoMinorVersionUpgrade": false,
	"BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-production-broker:b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
	"BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
	"BrokerName": "cc-production-broker",
	"SecurityGroups": [
		"sg-01234abcd1234abcd"
	]
}

03 Run create-broker command (OSX/Linux/UNIX) using the configuration information returned at the previous step to relaunch the selected Amazon MQ broker in two different Availability Zones (AZs) by enabling the active/standby deployment mode with the --deployment-mode parameter value set to ACTIVE_STANDBY_MULTI_AZ:

aws mq create-broker
  --region us-east-1
  --broker-name cc-ha-production-broker
  --configuration Id="c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",Revision=1
  --deployment-mode ACTIVE_STANDBY_MULTI_AZ
  --engine-type ACTIVEMQ
  --engine-version 5.15.0
  --host-instance-type mq.m5.large
  --security-groups "sg-01234abcd1234abcd"
  --subnet-ids "subnet-0abcd1234abcd1234" "subnet-01234abcd1234abcd"
  --users ConsoleAccess=true,Username="brokeruser",Password="brokerpasswd"
  --publicly-accessible
  --auto-minor-version-upgrade

04 The command output should return the new Amazon MQ broker identifiers (broker ARN and ID):

{
	"BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-ha-production-broker:b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd",
	"BrokerId": "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
}

05 After the new MQ broker is created, you can replace the broker endpoint(s) within your application.

06 If required, repeat steps no. 1 – 5 to enable the active/standby deployment mode for each Amazon MQ broker available in the selected AWS region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the Remediation process for other regions.

References

Publication date Dec 22, 2017