Skip to content
Ask AI about this
Help improve this page

MQ brokers should restrict public access

An Amazon MQ broker with a public IP is a message broker on the open internet. ActiveMQ and RabbitMQ weren't designed with that exposure in mind, and credentials travel in the connection handshake. Even with TLS and strong passwords, a public endpoint draws brute-force attempts, credential stuffing, and any protocol-level CVE gets a much larger blast radius.

Keep brokers in private subnets and route access through VPC peering, VPN, or PrivateLink. If clients need to reach the broker from outside the VPC, that's what transit infrastructure is for.

Retrofit consideration

Changing publicly_accessible from true to false is an in-place update on aws_mq_broker, but Amazon MQ will cycle the broker during the change. Clients using the public endpoint need to be migrated to private connectivity paths before you run terraform apply, not after.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_mq_broker.

resource "aws_mq_broker" "this" {
  auto_minor_version_upgrade = true
  broker_name                = "pofix-abc123"
  engine_type                = "ActiveMQ"
  engine_version             = "5.18"
  host_instance_type         = "mq.t3.micro"

  logs {
    audit   = true
    general = true
  }

  security_groups = ["sg-12345678"]
  subnet_ids      = ["subnet-12345678"]

  user {
    password = "ChangeMe123!"
    username = "admin"
  }

  publicly_accessible = false
}

What this control checks

This control evaluates the aws_mq_broker resource and checks that publicly_accessible is set to false. Since the default is false, the control also passes when the argument is omitted entirely. It fails when publicly_accessible = true. Placing brokers in private subnets via subnet_ids and restricting security_groups ingress to known CIDRs or source security groups rather than 0.0.0.0/0 provides additional defense in depth beyond what this attribute alone enforces.

Common pitfalls

  • Broker update impact when toggling public access

    Toggling publicly_accessible from true to false is an in-place update rather than a replace, but Amazon MQ will cycle the broker during the change. Clients pointing at the public endpoint will lose connectivity. Migrate them to private network paths before applying the change, not as a follow-up.

  • Single-instance broker subnet requirements

    A SINGLE_INSTANCE deployment requires exactly one subnet_ids entry. Put the broker in a public subnet with a default route to an internet gateway, and inbound traffic can still reach it through the security group even with publicly_accessible = false. Subnet placement is not cosmetic here.

  • Security group still allows 0.0.0.0/0

    publicly_accessible = false removes the public IP, it doesn't fix a permissive security group. Ingress on port 61617 from 0.0.0.0/0 sits dormant until a network topology change makes it reachable. Review the security_groups references and scope ingress to known sources.

  • ActiveMQ web console exposure

    ActiveMQ exposes a web console on port 8162. If a load balancer or reverse proxy forwards traffic to that port from the internet, the console is reachable regardless of what publicly_accessible is set to. Verify no aws_lb_target_group or proxy configuration routes external traffic to the broker console endpoint.

Audit evidence

Auditors expect AWS Config rule evaluation results showing all AWS::AmazonMQ::Broker resources as compliant, with PubliclyAccessible confirmed as false. Supporting evidence includes console screenshots of each broker's networking configuration showing no public IP assignment, and aws mq describe-broker --broker-id <id> CLI output with "PubliclyAccessible": false. CloudTrail CreateBroker and UpdateBroker events showing no broker was provisioned or modified with public access enabled round out the picture. VPC flow logs showing broker ENI traffic sourced only from private IP ranges add further confirmation.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: mq_broker_restrict_public_access

  • AWS Config Managed Rule: MQ_NO_PUBLIC_ACCESS

  • Checkov Check: CKV_AWS_69

  • Powerpipe Control: aws_compliance.control.mq_broker_restrict_public_access

  • Prowler Check: mq_broker_not_publicly_accessible

  • KICS Query: 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb

  • Trivy Check: AWS-0072

Last reviewed: 2026-03-09