Ensure that your Amazon MQ brokers have Log Exports feature enabled in order to publish your broker log events directly to AWS CloudWatch Logs. By publishing broker logs to AWS CloudWatch, you can have richer and more seamless interactions with your MQ broker logs using AWS services. The Log Exports feature supports the following log types:
General log – enables the default ActiveMQ INFO logging level and publishes activemq.log to an Amazon CloudWatch log group available in your account.
Audit log – enables logging of management actions taken using JMX or using the ActiveMQ Web Console and publishes audit.log to a CloudWatch log group in your AWS account.
Cloud Conformity strongly recommends that you select both general and audit logs for publishing to AWS CloudWatch Logs when enabling Log Exports feature.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon MQ is integrated with AWS CloudWatch Logs, a service that monitors, stores and accesses your log files from a variety of sources within your AWS account. Once the Log Exports feature is enabled, Amazon MQ publish general and audit logs to AWS CloudWatch Logs, allowing you to maintain continuous visibility into your brokers activity and meet compliance requirements when it comes to auditing.
To determine if your AWS MQ brokers are using Log Exports feature to publish logs to Amazon CloudWatch Logs, perform the following actions:
Remediation / Resolution
To enable Log Exports feature for your existing Amazon MQ brokers, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
MQ Log Exports
Risk level: Low