no-public-access
Default Severity: high
Explanation
Public access of the MQ broker should be disabled and only allow routes to applications that require access.
Possible Impact
Publicly accessible MQ Broker may be vulnerable to compromise
Suggested Resolution
Disable public access when not required
Insecure Example
The following example will fail the aws-mq-no-public-access check.
resource "aws_mq_broker" "bad_example" {
broker_name = "example"
configuration {
id = aws_mq_configuration.test.id
revision = aws_mq_configuration.test.latest_revision
}
engine_type = "ActiveMQ"
engine_version = "5.15.0"
host_instance_type = "mq.t2.micro"
security_groups = [aws_security_group.test.id]
user {
username = "ExampleUser"
password = "MindTheGap"
}
publicly_accessible = true
}
Secure Example
The following example will pass the aws-mq-no-public-access check.
resource "aws_mq_broker" "good_example" {
broker_name = "example"
configuration {
id = aws_mq_configuration.test.id
revision = aws_mq_configuration.test.latest_revision
}
engine_type = "ActiveMQ"
engine_version = "5.15.0"
host_instance_type = "mq.t2.micro"
security_groups = [aws_security_group.test.id]
user {
username = "ExampleUser"
password = "MindTheGap"
}
publicly_accessible = false
}