Skip to content
Ask AI about this
Help improve this page

MQ brokers should have automatic minor version upgrade enabled

Minor version upgrades for Amazon MQ (ActiveMQ and RabbitMQ) contain security patches, bug fixes, and stability improvements. Disabling automatic upgrades means your broker engine stays on older versions indefinitely, accumulating known vulnerabilities that attackers can exploit. Message brokers often sit in the critical path of application communication, making unpatched vulnerabilities especially dangerous.

Manual upgrade processes create drift and delays. Teams forget, backlogs grow, and brokers quietly fall behind. Enabling automatic minor upgrades fixes that: AWS applies them during the configured maintenance window, so the engine stays current without anyone on your team having to track it.

Retrofit consideration

Enabling auto minor version upgrade on an existing broker triggers an upgrade at the next maintenance window, which causes a brief broker restart. Single-instance brokers experience downtime during the restart; active/standby deployments handle it with failover.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_mq_broker.

resource "aws_mq_broker" "this" {
  broker_name        = "pofix-abc123"
  engine_type        = "ActiveMQ"
  engine_version     = "5.18"
  host_instance_type = "mq.t3.micro"

  logs {
    audit   = true
    general = true
  }

  security_groups = ["sg-12345678"]
  subnet_ids      = ["subnet-12345678"]

  user {
    password = "ChangeMe123!"
    username = "admin"
  }

  auto_minor_version_upgrade = true
}

What this control checks

The aws_mq_broker resource must set auto_minor_version_upgrade = true explicitly. Omitting the argument leaves the provider without a guaranteed compliance default, so always declare it. Both ActiveMQ and RabbitMQ engine types support the argument. A broker fails the control when the setting is false or not configured at all.

Common pitfalls

  • Terraform defaults to false

    Omitting auto_minor_version_upgrade on aws_mq_broker is not safe for compliance. The AWS console may pre-select enabled in some creation flows, but Terraform won't inherit that. Declare it explicitly as true in every broker resource to prevent drift and control failures.

  • Maintenance window timing matters

    Auto minor version upgrades apply during the broker's maintenance window. Without maintenance_window_start_time configured, AWS picks a random 2-hour window. For production brokers, set an explicit maintenance window so restarts happen when you expect them.

  • Single-instance broker downtime during upgrade

    Single-instance brokers (deployment_mode = "SINGLE_INSTANCE") go down briefly during minor version upgrades. Get this wrong on a production broker and you're looking at unplanned downtime. If that's a concern, migrate to ACTIVE_STANDBY_MULTI_AZ before enabling auto upgrades.

Audit evidence

AWS Config rule evaluations showing all AWS::AmazonMQ::Broker resources as COMPLIANT confirm AutoMinorVersionUpgrade is true for each broker. The Amazon MQ console shows the setting on each broker's detail page and works as screenshot evidence.

CloudTrail logs for mq:CreateBroker and mq:UpdateBroker show the autoMinorVersionUpgrade parameter at creation or modification time. Output from aws mq describe-broker gives a point-in-time snapshot of each broker's configuration for compliance reports.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: mq_broker_auto_minor_version_upgrade_enabled

  • AWS Config Managed Rules: MQ_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED, MQ_AUTO_MINOR_VERSION_UPGRADE_ENABLED

  • Checkov Check: CKV_AWS_207

  • Powerpipe Control: aws_compliance.control.mq_broker_auto_minor_version_upgrade_enabled

  • Prowler Check: mq_broker_auto_minor_version_upgrades

Last reviewed: 2026-03-09