Use the Conformity Knowledge Base AI to help improve your Cloud Posture

MQ Engine Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: MQ-004

Ensure that your Amazon MQ brokers are using the latest version of Apache ActiveMQ broker engine in order to follow AWS best practices, receive the latest ActiveMQ features and benefit from better performance and security.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Performance
efficiency
Reliability
Security

A broker engine is a type of message broker that runs on AWS MQ. The broker engine used by the Amazon MQ service is powered by Apache ActiveMQ software. When running your brokers with the latest version of ActiveMQ engine, you will benefit from new features and enhancements, better memory management and resource utilization, bug fixes and security patches, and support for newer broker instance types.


Audit

To determine if your Amazon MQ brokers are using the latest version of Apache ActiveMQ broker engine, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to examine and click on the broker name (link) to access its configuration page.

05 On the MQ broker configuration page, within Specifications section, check Broker engine version attribute value to determine the broker engine version used by the selected broker.

06 Open this URL to check the latest stable version of the ActiveMQ broker engine supported by Amazon MQ service.

07 Compare the latest version of Apache ActiveMQ broker engine supported by Amazon Web Services with the engine version used by the selected MQ broker, listed as value for the Broker engine version attribute. If there is a newer broker engine version released and supported by AWS MQ service, the engine version for the selected MQ broker should be upgraded to benefit from all the security and performance improvements that come with the latest version of the Apache ActiveMQ software.

08 Repeat steps no. 4 – 7 to verify the engine version for other AWS MQ brokers available within the current region.

09 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the IDs of all existing MQ brokers available within your AWS account:

aws mq list-brokers
	--region us-east-1
	--query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs:

[
    "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to examine as identifier to determine the Apache ActiveMQ broker engine version used by the selected broker:

aws mq describe-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
	--query 'EngineVersion'

04 The command output should return the broker engine version currently in use:

"5.15.0"

05 Open this URL to check the latest stable version of the ActiveMQ broker engine supported by Amazon MQ service.

06 Compare the latest version of Apache ActiveMQ broker engine supported by AWS with the engine version used by the selected MQ broker, returned by the describe-broker command output at step no. 4. If there is a newer broker engine version released and supported by AWS MQ service, the engine version for the selected broker should be upgraded to benefit from all the security and performance improvements that come with the latest version of the messaging software.

07 Repeat steps no. 3 – 6 to verify the engine version for other AWS MQ brokers provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To upgrade the Apache ActiveMQ broker engine version for your existing Amazon MQ brokers, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Configurations.

04 Click Create configuration to start the MQ broker configuration setup process. An MQ configuration contains all the required settings for an ActiveMQ broker, in XML format (similar to Apache ActiveMQ's activemq.xml file).

05 In the navigation panel, under Amazon MQ, click Configurations.

06 On the Create configuration page, perform the following actions:

  1. Provide a name for the new AWS MQ configuration in the Configuration name box.
  2. Select the latest stable version available for the ActiveMQ broker engine from the Broker engine version dropdown list.
  3. Click Create configuration to create your new Amazon MQ configuration file.

07 In the navigation panel, under Amazon MQ, click Brokers.

08 Choose the MQ broker that you want to reconfigure and click on the broker name (link) to access its settings page.

09 Now click on the Edit button from the dashboard top menu to access the configuration editing page.

10 On the Edit <broker_name> page, perform the following:

  1. Within Configuration section, select the name of the new configuration created at step no. 6 from the Configuration dropdown list and the necessary revision from the Revision dropdown list. To continue the editing process, click Schedule modifications.
  2. In the Schedule broker modifications section, choose whether to apply the changes during the next scheduled maintenance window by selecting After the next reboot option or immediately by selecting Immediately option.
  3. Click Apply to apply the configuration changes (i.e. engine version upgrade) to the selected AWS MQ broker.

11 Repeat steps no. 3 - 10 to upgrade the Apache ActiveMQ broker engine version for other AWS MQ brokers available in the current region.

12 Change the AWS region from the navigation bar to repeat the entire process for other regions.

Using AWS CLI

01 The only way to upgrade the ActiveMQ broker engine version for your MQ broker(s) is to create a new configuration file where you can specify the latest stable version of the broker engine. Run create-configuration command (OSX/Linux/UNIX) to create a new configuration for your AWS MQ broker(s). An MQ configuration file contains all the required settings for an ActiveMQ broker, in XML format. Use the --engine-version parameter to define the latest version of the engine:

aws mq create-configuration
	--region us-east-1
	--engine-type ACTIVEMQ
	--engine-version 5.15.0
	--name engine-version-upgrade-config

02 The command output should return the new AWS MQ configuration metadata:

{
    "LatestRevision": {
        "Description": "Auto-generated default for engine-version-upgrade-config on ActiveMQ 5.15.0",
        "Revision": 1
    },
    "Arn": "arn:aws:mq:us-east-1:123456789012:configuration:c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "Id": "c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
    "Name": "engine-version-upgrade-config"
}

03 Run update-broker command (OSX/Linux/UNIX) to apply the new MQ configuration to the selected Amazon MQ broker:

aws mq update-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
	--configuration Id="c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",Revision=1

04 The command output should return the update-broker command request metadata:

{
    "Configuration": {
        "Id": "c-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
        "Revision": 1
    },
    "BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc"
}

05 The configuration changes will be applied during the next scheduled maintenance window. To apply the changes immediately you have to reboot the selected AWS MQ broker by executing reboot-broker command (OSX/Linux/UNIX) with the ID of the broker as identifier (the command does not produce an output):

aws mq reboot-broker
	--region us-east-1
	--broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

06 Repeat steps no. 1 – 5 to upgrade the Apache ActiveMQ broker engine version for other AWS MQ brokers available in the current region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 6 to perform the remediation/resolution process for other regions.

References

Publication date Dec 22, 2017