MQ Active Has Deployment Mode.
More Info:
This rule checks the deployment mode configured for Amazon MQ ActiveMQ broker engine. The rule is NON_COMPLIANT if the default single-instance broker mode is being used.Risk Level
LowAddress
ConfigurationCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of “MQ Active Has Deployment Mode” for AWS Security Groups using the AWS console, you can follow these steps:
- Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
- Navigate to the Amazon MQ Service: Click on the “Services” dropdown menu at the top of the page and select “Amazon MQ” under the “Application Integration” section.
- Select the Amazon MQ Broker: In the Amazon MQ dashboard, select the Amazon MQ broker that has the misconfigured security group.
- Update Security Group: Click on the “Configuration” tab in the Amazon MQ console and scroll down to the “Network & security” section.
- Edit Security Groups: Under the “Network & security” section, you will see the “Security groups” field. Click on the “Edit” button next to it.
- Modify Security Group: In the “Edit security groups” window, you can add or remove security groups that are associated with the Amazon MQ broker. Make sure to add the appropriate security group that allows the necessary traffic for the MQ deployment mode.
- Save Changes: After adding the correct security group, click on the “Save” button to apply the changes.
- Verify Configuration: Once you have updated the security group, verify that the misconfiguration has been remediated by checking the deployment mode of the Amazon MQ broker.
Using CLI
Using CLI
To remediate the misconfiguration of “MQ Active Has Deployment Mode” for AWS Security Groups using AWS CLI, you can follow these steps:
- Identify the Security Group: First, you need to identify the Security Group associated with the MQ (Message Queue) service that has the misconfiguration.
-
Check the Rules: Use the AWS CLI command to describe the inbound and outbound rules of the identified Security Group to understand the current configuration. You can use the following command:
-
Update Security Group Rules: To remediate the misconfiguration, you will need to update the Security Group rules to ensure that only the necessary ports and protocols are open. You can use the following AWS CLI command to modify the inbound and outbound rules of the Security Group:
Replace
YOUR_PORT_NUMBERwith the specific port number that needs to be opened andYOUR_CIDR_BLOCKwith the IP range that should have access to the port. -
Remove Unnecessary Rules: Remove any existing rules that are not required for the MQ service. You can use the following AWS CLI command to revoke a specific ingress rule from the Security Group:
Replace
YOUR_PORT_NUMBERandYOUR_CIDR_BLOCKwith the details of the rule you want to remove. -
Verify Changes: After making the necessary changes, verify the Security Group rules again to ensure that the misconfiguration has been remediated successfully. Use the
describe-security-groupscommand as mentioned in step 2.
Using Python
Using Python
To remediate the misconfiguration of “MQ Active Has Deployment Mode” in AWS Security Groups using Python, you can use the AWS SDK for Python (Boto3) to update the security group rules. Here are the step-by-step instructions to remediate this issue:Step 1: Install Boto3
Ensure you have the Boto3 library installed. You can install it using pip:Step 2: Write a Python script to update the security group rule
Create a Python script with the following code to update the security group rule:Replace ‘YOUR_SECURITY_GROUP_ID’ with the actual ID of the security group that needs to be updated.Step 3: Run the Python script
Save the Python script and run it using the Python interpreter. Make sure you have the necessary permissions to update the security group rules.After running the script, the security group rule allowing traffic on port 8161 will be updated to restrict access to a specific IP range or source.Note: Ensure to review and test the script in a non-production environment before applying it to production to avoid any unintended consequences.