MQ brokers should not be publicly accessible.
mq_broker_not_publicly_accessible
Brokers created without public accessibility can't be accessed from outside of your VPC. This greatly reduces your broker's susceptibility to Distributed Denial of Service (DDoS) attacks from the public internet.
Risk
Public Amazon MQ brokers can be accessed directly, outside of a Virtual Private Cloud (VPC), therefore every machine on the Internet can reach your brokers through their public endpoints and this can increase the opportunity for malicious activity such as cross-site scripting (XSS) and clickjacking attacks.
Run this check with Prowler CLI
prowler aws --checks mq_broker_not_publicly_accessible
ARN template
arn:aws:mq:region:account-id:broker:broker-id
Remediation
https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/publicly-accessible.html#
Ensure that the Amazon MQ brokers provisioned in your AWS account are not publicly accessible from the Internet in order to avoid exposing sensitive data and minimize security risks.
Source Code
Resource Type
AwsAmazonMQBroker