MQ broker has general logging enabled and, for ActiveMQ, audit logging enabled
mq_broker_logging_enabled
Amazon MQ brokers have logging to CloudWatch Logs enabled per engine type: ActiveMQ requires both general and audit logs; RabbitMQ requires general logs.
Risk
Missing broker logs creates blind spots in authentication events, administrative changes, and broker failures. Adversaries can act without detection, enabling unauthorized access and message tampering (confidentiality/integrity) and hindering incident response and root-cause analysis (availability).
prowler aws --checks mq_broker_logging_enabled
Recommendation
Enable centralized CloudWatch Logs for brokers. For ActiveMQ, turn on both general and audit logs; for RabbitMQ, enable general logs.
Apply least privilege to log access, set retention, and create alerts for anomalous events to strengthen defense in depth.
Remediation
aws mq update-broker --broker-id <example_resource_id> --logs Audit=true,General=true
- In the AWS Console, go to Amazon MQ > Brokers
- Select <example_resource_name> and choose Edit
- In Log settings:
- For ActiveMQ: enable General logs and Audit logs
- For RabbitMQ: enable General logs only
- Save changes and reboot if prompted
Source Code
Resource Type
AwsAmazonMQBroker
References
- https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-2
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/MQ/log-exports.html
- https://docs.aws.amazon.com/cli/latest/reference/mq/create-broker.html
- https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html