Skip to content

no-public-access

Explanation

Public access of the MQ broker should be disabled and only allow routes to applications that require access.

Possible Impact

Publicly accessible MQ Broker may be vulnerable to compromise

Suggested Resolution

Disable public access when not required

Insecure Example

The following example will fail the aws-mq-no-public-access check.

resource "aws_mq_broker" "bad_example" {
  broker_name = "example"

  configuration {
    id       = aws_mq_configuration.test.id
    revision = aws_mq_configuration.test.latest_revision
  }

  engine_type        = "ActiveMQ"
  engine_version     = "5.15.0"
  host_instance_type = "mq.t2.micro"
  security_groups    = [aws_security_group.test.id]

  user {
    username = "ExampleUser"
    password = "MindTheGap"
  }
  publicly_accessible = true
}

Secure Example

The following example will pass the aws-mq-no-public-access check.

resource "aws_mq_broker" "good_example" {
  broker_name = "example"

  configuration {
    id       = aws_mq_configuration.test.id
    revision = aws_mq_configuration.test.latest_revision
  }

  engine_type        = "ActiveMQ"
  engine_version     = "5.15.0"
  host_instance_type = "mq.t2.micro"
  security_groups    = [aws_security_group.test.id]

  user {
    username = "ExampleUser"
    password = "MindTheGap"
  }
  publicly_accessible = false
}