AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
MQ Broker Should Not Be Publicly Accessible
More Info:
MQ brokers should not be launched into public cloud. Unless there is a specific business requirement, MQ Brokers should not have a public endpoint and should be accessed from within a VPC only.
Risk Level
Medium
Address
Security
Compliance Standards
GDPR, HITRUST, SOC2
Triage and Remediation
Remediation
To remediate the misconfiguration of an MQ Broker being publicly accessible in AWS Security Groups, follow these steps using the AWS Management Console:
-
Log in to the AWS Management Console: Go to https://aws.amazon.com/ and log in to your AWS account.
-
Navigate to the Amazon MQ Service: Click on the “Services” dropdown menu at the top left corner of the console, then select “Amazon MQ” under the “Messaging” category.
-
Select the MQ Broker: In the Amazon MQ dashboard, select the MQ Broker that is publicly accessible.
-
Update Security Group Rules:
- In the left-hand navigation pane, click on “Configuration” and then select the “Security groups” tab.
- Click on the security group that is associated with the MQ Broker.
-
Edit Inbound Rules:
- In the “Inbound rules” tab, review the existing rules that allow public access to the MQ Broker.
- Identify the rule(s) that allow access from any IP address (0.0.0.0/0) or from unauthorized IP ranges.
-
Remove Public Access:
- Select the rule(s) that allow public access to the MQ Broker.
- Click on the “Actions” dropdown menu and choose “Edit inbound rules”.
- Remove the rule(s) that allow access from any IP address or unauthorized IP ranges.
- Add specific IP ranges or security groups that are allowed to access the MQ Broker if necessary.
-
Save Changes: Click on the “Save rules” button to apply the changes to the security group.
-
Verify Changes:
- Go back to the Amazon MQ dashboard and check the security group settings for the MQ Broker to ensure that public access has been restricted.
- Test the connectivity to the MQ Broker to ensure that it is only accessible from authorized sources.
By following these steps, you can remediate the misconfiguration of an MQ Broker being publicly accessible in AWS Security Groups and restrict access to authorized entities only.
To remediate the misconfiguration of making an MQ Broker publicly accessible in AWS using AWS CLI, you can follow these steps:
- List the existing security groups associated with your MQ Broker:
aws mq list-brokers
- Identify the security group associated with the MQ Broker that is publicly accessible:
aws mq describe-broker --broker-id <your-broker-id>
-
Note down the Security Group ID associated with the MQ Broker.
-
Update the inbound rules of the Security Group to restrict access only to the necessary IP addresses or CIDR blocks. Replace
<security-group-id>with the Security Group ID noted in step 3 and<your-ip>with your IP address:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 8162 --cidr <your-ip>/32
- Verify that the inbound rule has been updated successfully:
aws ec2 describe-security-groups --group-ids <security-group-id>
- Repeat steps 4 and 5 for any other necessary ports (e.g., 61614 for AMQP, 5671 for MQTT, etc.) to ensure that only the required ports are accessible.
By following these steps, you can remediate the misconfiguration of making an MQ Broker publicly accessible in AWS using AWS CLI.
To remediate the misconfiguration of an MQ Broker being publicly accessible in AWS using Python, you can follow these steps:
-
Identify the Security Group: First, you need to identify the Security Group associated with the MQ Broker.
-
Update Security Group Rules: You will need to update the inbound rules of the Security Group to restrict access to the MQ Broker to only the necessary IP addresses or ranges.
-
Revoke Public Access: Remove the existing rule that allows public access to the MQ Broker.
Here is a sample Python script to achieve this:
import boto3
# Define the region and the security group ID associated with the MQ Broker
region = 'your_region'
security_group_id = 'your_security_group_id'
# Create a Boto3 client for EC2
ec2_client = boto3.client('ec2', region_name=region)
# Revoke the existing rule that allows public access to the MQ Broker
response = ec2_client.revoke_security_group_ingress(
GroupId=security_group_id,
IpPermissions=[
{
'IpProtocol': 'tcp',
'FromPort': 8161, # Assuming default port for MQ Broker
'ToPort': 8161,
'IpRanges': [{'CidrIp': '0.0.0.0/0'}] # Restrict this as per your requirement
}
]
)
print("Public access to the MQ Broker has been revoked.")
Make sure to replace 'your_region' and 'your_security_group_id' with the appropriate values for your environment.
After running this script, the Security Group associated with the MQ Broker will be updated to revoke public access, thereby remedying the misconfiguration of the MQ Broker being publicly accessible in AWS.