Amazon MQ brokers are evaluated for public accessibility, determining whether a broker exposes a public endpoint or is restricted to VPC-only connectivity via its publicly accessible setting.
Risk
Publicly reachable brokers expand exposure: internet hosts can probe protocols and consoles, attempt credential spraying, publish/consume messages, and flood connections. This threatens confidentiality (data leakage), integrity (message tampering), and availability (DoS/resource exhaustion).
prowler aws --checks mq_broker_not_publicly_accessible
Recommendation
Prefer private deployment: set publicly_accessible=false, place brokers in private subnets, and restrict security groups to trusted producers/consumers. Use private connectivity (VPC endpoints, peering, VPN/Direct Connect). Enforce strong authn and authorization maps, and allow only required protocol ports. Apply least privilege.
Remediation
- Open the AWS Console and go to Amazon MQ
- Create a new broker and set Public accessibility to Disabled/No
- Point your clients to the new broker's private endpoints
- Delete the old publicly accessible broker
Source Code
Resource Type
AwsAmazonMQBroker