Skip to content

tfsec

Ensure MQ Broker is not publicly exposed

aquasecurity/tfsec

Ensure MQ Broker is not publicly exposed

Default Severity: high

Explanation

Public access of the MQ broker should be disabled and only allow routes to applications that require access.

Possible Impact

Publicly accessible MQ Broker may be vulnerable to compromise

Suggested Resolution

Disable public access when not required

Insecure Example

The following example will fail the aws-mq-no-public-access check.

 resource "aws_mq_broker" "bad_example" {
   broker_name = "example"

   configuration {
     id       = aws_mq_configuration.test.id
     revision = aws_mq_configuration.test.latest_revision
   }

   engine_type        = "ActiveMQ"
   engine_version     = "5.15.0"
   host_instance_type = "mq.t2.micro"
   security_groups    = [aws_security_group.test.id]

   user {
     username = "ExampleUser"
     password = "MindTheGap"
   }
   publicly_accessible = true
 }

Secure Example

The following example will pass the aws-mq-no-public-access check.

 resource "aws_mq_broker" "good_example" {
   broker_name = "example"

   configuration {
     id       = aws_mq_configuration.test.id
     revision = aws_mq_configuration.test.latest_revision
   }

   engine_type        = "ActiveMQ"
   engine_version     = "5.15.0"
   host_instance_type = "mq.t2.micro"
   security_groups    = [aws_security_group.test.id]

   user {
     username = "ExampleUser"
     password = "MindTheGap"
   }
   publicly_accessible = false
 }

Links