AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
MQ Has Automatic Minor Version Upgrades.
More Info:
This rule checks if automatic minor version upgrades are enabled for Amazon MQ brokers. The rule is NON_COMPLIANT if the ‘AutoMinorVersionUpgrade’ field is not enabled for an Amazon MQ broker.
Risk Level
Low
Address
Configuration
Compliance Standards
CBP,SEBI
Triage and Remediation
Remediation
To remediate the misconfiguration of having MQ (Message Queue) with automatic minor version upgrades enabled for AWS Security Groups using the AWS Management Console, follow these steps:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in to your account.
-
Navigate to Amazon MQ: Click on the “Services” dropdown menu at the top left corner of the console, then select “Amazon MQ” under the “Messaging” section.
-
Select the Amazon MQ Instance: From the Amazon MQ dashboard, select the Amazon MQ instance for which you want to disable automatic minor version upgrades.
-
Modify Configuration: In the Amazon MQ console, navigate to the “Configuration” tab for the selected Amazon MQ instance.
-
Edit the Configuration: Click on the “Edit” button to modify the configuration settings of the Amazon MQ instance.
-
Disable Automatic Minor Version Upgrades: Scroll down to the “Maintenance” section of the configuration settings. Look for the option related to automatic minor version upgrades and uncheck the box or toggle the setting to disable this feature.
-
Save Changes: After disabling automatic minor version upgrades, click on the “Save Changes” or “Apply Changes” button to apply the new configuration settings to the Amazon MQ instance.
-
Verify Configuration: Once the changes are saved, verify that automatic minor version upgrades are successfully disabled for the AWS Security Groups associated with the Amazon MQ instance.
By following these steps, you can remediate the misconfiguration of having automatic minor version upgrades enabled for AWS Security Groups in Amazon MQ using the AWS Management Console.
To remediate the misconfiguration of having MQ Automatic Minor Version Upgrades enabled for AWS Security Groups using AWS CLI, you can follow these steps:
-
Identify the AWS Security Group associated with your MQ service:
- You can use the following AWS CLI command to list all the security groups associated with your MQ service:
aws mq describe-broker --broker-id <your-broker-id> --query 'BrokerInstances[0].SecurityGroups'
- You can use the following AWS CLI command to list all the security groups associated with your MQ service:
-
Update the Security Group to block all outbound traffic to the internet:
- Use the following AWS CLI command to update the outbound rules of the Security Group associated with your MQ service to block all traffic to 0.0.0.0/0:
aws ec2 revoke-security-group-egress --group-id <your-security-group-id> --protocol all --port all --cidr 0.0.0.0/0
- Use the following AWS CLI command to update the outbound rules of the Security Group associated with your MQ service to block all traffic to 0.0.0.0/0:
-
Verify the changes:
- You can verify that the outbound rules have been updated successfully by describing the Security Group:
aws ec2 describe-security-groups --group-ids <your-security-group-id>
- You can verify that the outbound rules have been updated successfully by describing the Security Group:
-
Disable Automatic Minor Version Upgrades for your MQ Broker:
- Use the following AWS CLI command to update your MQ Broker configuration and disable Automatic Minor Version Upgrades:
aws mq update-broker --broker-id <your-broker-id> --auto-minor-version-upgrade false
- Use the following AWS CLI command to update your MQ Broker configuration and disable Automatic Minor Version Upgrades:
-
Verify the changes:
- You can verify that the Automatic Minor Version Upgrades setting has been disabled by describing the broker configuration:
aws mq describe-broker --broker-id <your-broker-id> --query 'BrokerInstances[0].AutoMinorVersionUpgrade'
- You can verify that the Automatic Minor Version Upgrades setting has been disabled by describing the broker configuration:
By following these steps, you can remediate the misconfiguration of having MQ Automatic Minor Version Upgrades enabled for AWS Security Groups using AWS CLI.
To remediate the misconfiguration of MQ having automatic minor version upgrades enabled for AWS Security Groups using Python, you can follow these steps:
- Install Boto3: Ensure that you have Boto3 installed in your Python environment. Boto3 is the AWS SDK for Python that allows you to interact with AWS services.
pip install boto3
- Write Python Script: Create a Python script that will disable automatic minor version upgrades for the MQ broker in the specified security group. Here is an example script to achieve this:
import boto3
# Initialize the MQ client
client = boto3.client('mq')
# Specify the security group ID of the MQ broker
security_group_id = 'YOUR_SECURITY_GROUP_ID'
# Disable automatic minor version upgrades for the specified MQ broker
response = client.update_broker(
BrokerId='YOUR_BROKER_ID',
Configuration={
'Id': 'autoMinorVersionUpgrade',
'Value': 'false'
}
)
print("Automatic minor version upgrades disabled for the MQ broker in the specified security group.")
-
Replace the placeholders:
- Replace
YOUR_SECURITY_GROUP_IDwith the actual Security Group ID where the MQ broker is deployed. - Replace
YOUR_BROKER_IDwith the ID of the MQ broker for which you want to disable automatic minor version upgrades.
- Replace
-
Run the Script: Execute the Python script to disable automatic minor version upgrades for the specified MQ broker in the Security Group.
python remediate_mq_auto_minor_version_upgrade.py
By following these steps, you can remediate the misconfiguration of MQ having automatic minor version upgrades enabled for AWS Security Groups using Python.