Amazon MQ broker has automated minor version upgrades enabled
mq_broker_auto_minor_version_upgrades
Amazon MQ brokers have autoMinorVersionUpgrade enabled to automatically apply supported minor and patch engine updates during the scheduled maintenance window.
Risk
Without automatic minor upgrades, brokers may run known-vulnerable engine versions, enabling exploits that impact:
- Confidentiality: message disclosure
- Integrity: tampering or replay
- Availability: crashes/DoS and instability
Delayed patches also increase operational risk and drift.
Run this check with Prowler CLI
prowler aws --checks mq_broker_auto_minor_version_upgrades
Recommendation
Enable autoMinorVersionUpgrade on all brokers to reduce patch latency.
- Align upgrades with a defined maintenance window
- Validate changes in staging before production
- Monitor broker health and logs after updates
- Maintain HA and tested backups for rollback (defense in depth)
Remediation
CLI
aws mq update-broker --broker-id <example_resource_id> --auto-minor-version-upgrade
Native IaC
Terraform
Other
- Open the Amazon MQ console
- Go to Brokers and select the target broker
- Click Edit
- Under Maintenance, check Enable automatic minor version upgrades
- Click Save
Source Code
Resource Type
AwsAmazonMQBroker
References
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/auto-minor-version-upgrade.html
- https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades
- https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-3
- https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html