Use the Conformity Knowledge Base AI to help improve your Cloud Posture

MQ Network of Brokers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MQ-007

Ensure that your production AWS MQ brokers are running within a mesh network of single-instance or active/standby brokers. A networks of brokers is a highly available network that connects multiple message brokers across AWS Availability Zones and regions. This network topology improves MQ brokers availability and scalability, and represents an ideal network configuration for mission critical applications where downtime is highly impactful.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

A network of brokers enables cloud applications to continue to operate during the failure of a broker, interruption of an Availability Zone (AZ), or in the event of a disaster that can lead to loss of connectivity with an entire AWS region. Deploying a network of brokers also distributes the load for higher message throughput and an increased number of application connections.


Audit

To determine the network deployment type for your AWS MQ brokers, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 On the brokers listing page, check the name of each provisioned MQ broker, available in the Name column. If none of the broker names have -Broker-n termination attached, where -n represents the number of brokers within the mesh network of brokers, the Amazon MQ network of brokers configuration is not used in the current AWS region.

05 Repeat step no. 4 to verify the network deployment type for other AWS MQ brokers available within the current region.

06 Change the AWS region from the navigation bar to repeat the audit process for other regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to list the names of all existing MQ brokers available in the selected AWS region:

aws mq list-brokers
	--region us-east-1
	--output table
	--query 'BrokerSummaries[*].BrokerName'

02 The command output should return the requested AWS MQ broker names:

-------------------------
|      ListBrokers      |
+-----------------------+
|  cc-project5-broker   |
|  cc-multi-az-broker   |
|  cc-production-broker |
+-----------------------+

Check the name of each MQ broker returned by the list-brokers command output, as the network of brokers configuration will assign a broker number to each broker available in the network. If none of the broker names have -Broker-n termination attached, where -n represents the number of brokers inside the network, the Amazon MQ network of brokers configuration is not used in the selected AWS region.

03 Repeat step no. 1 and 2 to determine the network deployment type for other AWS MQ brokers available within the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the audit process for other regions.

Remediation / Resolution

To make use of network of brokers high availability and scalable configuration, you must re-create your Amazon MQ brokers within a mesh network of single-instance or active/standby brokers. To relaunch the required MQ brokers, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 Choose the MQ broker that you want to re-create and click on the broker name to access its configuration page.

05 On the selected AWS MQ broker settings page, perform the following:

  1. In the Details section, copy the broker configuration information such as Broker instance type, Broker engine, Broker engine version, Configuration name and revision, Security and network details and so on.
  2. Inside Users section, locate and copy the ActiveMQ Web Console access credentials.

06 Go back to the Amazon MQ brokers page and click Create brokers to initiate the launch process.

07 On the Select deployment page, based on your application requirements, choose Mesh network of single-instance brokers or Mesh network of active/standby brokers. The first option will create a set of 3 single-instance brokers connected in a mesh network and the second one will launch a set of 3 active/standby brokers with automatic failover capability, all connected in a mesh network.

08 Click Next to continue the process.

09 On the Configure settings page, provide the following information:

  1. Provide a unique name for the new network of brokers in the Network name box.
  2. Configure the rest of the parameters using the information copied at step no. 5 a.
  3. Set the existing ActiveMQ Web Console access credentials copied at step no. 5 b.
  4. Click Deploy to launch the new Amazon MQ network of brokers.

10 Once the new MQ broker network is created, replace the necessary endpoint(s) within your application(s).

11 Now it's safe to remove the source AWS MQ broker in order to stop incurring charges for it. To delete the necessary broker, perform the following actions:

  1. Select the broker that you want to remove (see Audit section part I to identify the right AWS MQ resource).
  2. Click the Delete button from the dashboard top menu.
  3. Within Delete broker <broker_name> dialog box, enter the phrase delete to confirm the action, then click the Delete button.

12 Repeat steps no. 4 – 11 to re-create other Amazon MQ brokers, available in the current AWS region, into network of brokers.

13 Change the AWS region from the navigation bar to repeat the entire process for other regions.

Using AWS CLI

01 Run describe-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected AWS MQ broker:

aws mq describe-broker
	--region us-east-1
	--broker-id cc-project5-broker

02 The command output should return the configuration details for the selected broker:

{
    "MaintenanceWindowStartTime": {
        "DayOfWeek": "MONDAY",
        "TimeZone": "UTC",
        "TimeOfDay": "01:00"
    },
    "PubliclyAccessible": true,
    "EngineVersion": "5.15.18",
    "EngineType": "ActiveMQ",
    
    ...
 
    "HostInstanceType": "mq.m4.large",
    "SubnetIds": [
        "subnet-abcdabcd"
    ],
    "AutoMinorVersionUpgrade": true,
    "BrokerId": "b-aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc",
    "BrokerName": "cc-project5-broker",
    "SecurityGroups": [
        "sg-abcdabcd"
    ]
}

03 Run create-broker command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to create the network brokers individually. For compliance purposes add -Broker-n termination, where -n represents the number of brokers within your mesh network of brokers, to the MQ broker name:

aws mq create-broker
	--region us-east-1
	--broker-name cc-project5-broker-Broker-1
	--configuration Id="c-abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd",Revision=1
	--deployment-mode SINGLE_INSTANCE
	--engine-type ACTIVEMQ
	--engine-version 5.15.18
	--host-instance-type mq.m4.large
	--security-groups "sg-abcdabcd"
	--subnet-ids "subnet-1234abcd" "subnet-abcd1234"
	--users ConsoleAccess=true,Username="ccbrokeruser",Password="ccbrokerpassword"
	--publicly-accessible
	--auto-minor-version-upgrade

04 The command output should return the ID and the ARN of the newly created MQ broker:

{
    "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:cc-project5-broker-Broker-1:b-abcd1234-abcd-1234-abcd-1234abcd1234",
    "BrokerId": "b-abcd1234-abcd-1234-abcd-1234abcd1234"
}

05 Repeat step no. 3 and 4 to create the rest of the Amazon MQ brokers necessary for your network of brokers.

06 Once all the brokers are created, connect them in a mesh network of brokers, then replace the necessary endpoint(s) within your application(s).

07 Now it is safe to remove the source Amazon MQ broker in order to stop incurring charges for the resource. To terminate the single-instance broker run delete-broker command (OSX/Linux/UNIX) using the ID of the broker that you want to delete as command parameter:

aws mq delete-broker
	--region us-east-1
	--broker-id b-aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc

08 The command output should return the ID of the MQ broker selected for deletion:

{
    "BrokerId": "b-aaaabbbb-aaaa-bbbb-cccc-aaaabbbbcccc"
}

09 Repeat steps no. 1 – 8 to re-create other Amazon MQ brokers, available in the selected AWS region, into network of brokers.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the entire remediation process for other regions.

References

Publication date Mar 22, 2019