Ensure that the AWS MQ brokers provisioned in your AWS account are not publicly accessible from the Internet in order to avoid exposing sensitive data and minimize security risks. The level of access to your MQ brokers depends on their use cases, however, for most use cases Cloud Conformity recommends that the MQ brokers should be privately accessible only from within your AWS Virtual Private Cloud (VPC).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Public Amazon MQ brokers can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your brokers through their public endpoints and this can increase the opportunity for malicious activity such as cross-site scripting (XSS) and clickjacking attacks.
To determine if your Amazon MQ brokers are publicly accessible, perform the following actions:
Remediation / Resolution
To disable public accessibility for your existing Amazon MQ brokers, you must re-create them with the necessary configuration so that the brokers endpoints can be reachable only within your VPC. To relaunch the required MQ brokers, perform the following:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Publicly Accessible MQ Brokers
Risk level: Medium