Skip to content
Ask AI about this
Help improve this page

MQ brokers should have audit log streaming to CloudWatch enabled

ActiveMQ audit logs capture management actions on the broker: creating, modifying, and deleting queues, topics, and users. Without them flowing to CloudWatch, you have no record of who changed broker configuration or when, which makes incident investigation and detecting unauthorized access significantly harder.

CloudWatch integration lets you build metric filters and alarms on specific audit events. If logs stay only on the broker instance, they disappear when the broker is replaced or scaled. In a managed environment, that's not a hypothetical.

Retrofit consideration

Enabling audit logging on an existing ActiveMQ broker triggers a broker reboot. Single-instance brokers will have a brief outage with no failover. Active/standby deployments handle it transparently. Schedule single-instance changes during a maintenance window.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_mq_broker.

resource "aws_mq_broker" "this" {
  auto_minor_version_upgrade = true
  broker_name                = "pofix-abc123"
  engine_type                = "ActiveMQ"
  engine_version             = "5.18"
  host_instance_type         = "mq.t3.micro"
  security_groups            = ["sg-12345678"]
  subnet_ids                 = ["subnet-12345678"]

  user {
    password = "ChangeMe123!"
    username = "admin"
  }

  logs {
    audit   = true
    general = true
  }
}

What this control checks

The control checks aws_mq_broker resources for audit = true in the logs block. Omitting the logs block entirely, or leaving audit at its default of false, both fail. This applies only to engine_type = "ActiveMQ" brokers; RabbitMQ doesn't support the audit argument. The service-linked role AWSServiceRoleForAmazonMQ provides CloudWatch Logs write permissions automatically. Terraform doesn't need to configure this separately.

Common pitfalls

  • RabbitMQ brokers do not support audit logs

    Setting audit = true in the logs block of a RabbitMQ broker causes an API error. The audit argument only exists for ActiveMQ. If you manage a mixed fleet, use conditionals or separate module configurations to avoid applying this setting to the wrong engine type.

  • CloudWatch Logs resource policy size limit

    Log delivery silently fails if you hit the CloudWatch Logs resource policy size limit. AWS caps resource policies at 5,120 characters per region, and Amazon MQ relies on one to write logs. A large fleet sharing the same policy can exhaust that limit without any error surfacing. Consolidate ARN patterns with wildcards to stay under it.

  • Single-instance broker reboot on logging change

    Schedule logging changes on single-instance brokers during a maintenance window. Modifying the logs block on a deployment_mode = "SINGLE_INSTANCE" broker triggers a reboot with no failover. Active/standby deployments handle the same change transparently.

  • Default value is false

    The audit argument defaults to false, so every broker provisioned without an explicit audit = true is non-compliant. Set it explicitly in your module rather than relying on the default. Get this wrong and you won't notice until an auditor or scanner flags the fleet.

Audit evidence

Auditors expect Config rule evaluation results showing all ActiveMQ brokers as COMPLIANT, or equivalent output from a policy scanner. Direct evidence is the Amazon MQ console broker details page showing "Audit log" enabled under the Logging section, with a corresponding CloudWatch Logs log group (typically /aws/amazonmq/broker/<broker-id>/audit) actively receiving entries. CloudWatch Logs Insights queries showing recent audit log activity support the record. Config conformance pack reports or Security Hub findings should show passing status with timestamps for continuous compliance coverage.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: mq_broker_audit_log_enabled

  • AWS Config Managed Rules: MQ_CLOUDWATCH_AUDIT_LOGGING_ENABLED, MQ_CLOUDWATCH_AUDIT_LOG_ENABLED

  • Checkov Check: CKV_AWS_197

  • Powerpipe Control: aws_compliance.control.mq_broker_audit_log_enabled

  • Prowler Check: mq_broker_logging_enabled

  • AWS Security Hub Control: MQ.2

  • Trivy Check: AWS-0070

Last reviewed: 2026-03-09