More Info:

This rule checks the deployment mode configured for Amazon MQ ActiveMQ broker engine. The rule is NON_COMPLIANT if the default single-instance broker mode is being used.

Risk Level

Low

Address

Configuration

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of “MQ Active Has Deployment Mode” for AWS Security Groups using the AWS console, you can follow these steps:
  1. Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
  2. Navigate to the Amazon MQ Service: Click on the “Services” dropdown menu at the top of the page and select “Amazon MQ” under the “Application Integration” section.
  3. Select the Amazon MQ Broker: In the Amazon MQ dashboard, select the Amazon MQ broker that has the misconfigured security group.
  4. Update Security Group: Click on the “Configuration” tab in the Amazon MQ console and scroll down to the “Network & security” section.
  5. Edit Security Groups: Under the “Network & security” section, you will see the “Security groups” field. Click on the “Edit” button next to it.
  6. Modify Security Group: In the “Edit security groups” window, you can add or remove security groups that are associated with the Amazon MQ broker. Make sure to add the appropriate security group that allows the necessary traffic for the MQ deployment mode.
  7. Save Changes: After adding the correct security group, click on the “Save” button to apply the changes.
  8. Verify Configuration: Once you have updated the security group, verify that the misconfiguration has been remediated by checking the deployment mode of the Amazon MQ broker.
By following these steps, you should be able to remediate the misconfiguration of “MQ Active Has Deployment Mode” for AWS Security Groups using the AWS console.

To remediate the misconfiguration of “MQ Active Has Deployment Mode” for AWS Security Groups using AWS CLI, you can follow these steps:
  1. Identify the Security Group: First, you need to identify the Security Group associated with the MQ (Message Queue) service that has the misconfiguration.
  2. Check the Rules: Use the AWS CLI command to describe the inbound and outbound rules of the identified Security Group to understand the current configuration. You can use the following command: 
    aws ec2 describe-security-groups --group-ids YOUR_SECURITY_GROUP_ID
  3. Update Security Group Rules: To remediate the misconfiguration, you will need to update the Security Group rules to ensure that only the necessary ports and protocols are open. You can use the following AWS CLI command to modify the inbound and outbound rules of the Security Group: 
    aws ec2 authorize-security-group-ingress --group-id YOUR_SECURITY_GROUP_ID --protocol tcp --port YOUR_PORT_NUMBER --cidr YOUR_CIDR_BLOCK
    Replace YOUR_PORT_NUMBER with the specific port number that needs to be opened and YOUR_CIDR_BLOCK with the IP range that should have access to the port.
  4. Remove Unnecessary Rules: Remove any existing rules that are not required for the MQ service. You can use the following AWS CLI command to revoke a specific ingress rule from the Security Group: 
    aws ec2 revoke-security-group-ingress --group-id YOUR_SECURITY_GROUP_ID --protocol tcp --port YOUR_PORT_NUMBER --cidr YOUR_CIDR_BLOCK
    Replace YOUR_PORT_NUMBER and YOUR_CIDR_BLOCK with the details of the rule you want to remove.
  5. Verify Changes: After making the necessary changes, verify the Security Group rules again to ensure that the misconfiguration has been remediated successfully. Use the describe-security-groups command as mentioned in step 2.
By following these steps and using the AWS CLI commands provided, you can remediate the misconfiguration of “MQ Active Has Deployment Mode” for AWS Security Groups.
To remediate the misconfiguration of “MQ Active Has Deployment Mode” in AWS Security Groups using Python, you can use the AWS SDK for Python (Boto3) to update the security group rules. Here are the step-by-step instructions to remediate this issue:Step 1: Install Boto3 Ensure you have the Boto3 library installed. You can install it using pip:
pip install boto3
Step 2: Write a Python script to update the security group rule Create a Python script with the following code to update the security group rule:
import boto3

# Initialize the Boto3 client for EC2
ec2_client = boto3.client('ec2')

# Specify the security group ID and the rule details to update
security_group_id = 'YOUR_SECURITY_GROUP_ID'
ip_permissions = [
    {
        'IpProtocol': 'tcp',
        'FromPort': 8161,
        'ToPort': 8161,
        'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
    }
]

# Update the security group rule
response = ec2_client.authorize_security_group_ingress(
    GroupId=security_group_id,
    IpPermissions=ip_permissions
)

print('Security group rule updated successfully.')
Replace ‘YOUR_SECURITY_GROUP_ID’ with the actual ID of the security group that needs to be updated.Step 3: Run the Python script Save the Python script and run it using the Python interpreter. Make sure you have the necessary permissions to update the security group rules.After running the script, the security group rule allowing traffic on port 8161 will be updated to restrict access to a specific IP range or source.Note: Ensure to review and test the script in a non-production environment before applying it to production to avoid any unintended consequences.