Detections
Analytics

Ensure log exports is enabled for AWS MQ Brokers

LOW

Description

Not enabling log exports for AWS MQ Brokers can have an impact on integrity and later in incident response.

Remediation

In AWS Console -

  1. Sign in to the AWS Console and go to the MQ dashboard.
  2. In the navigation panel, Select Brokers.
  3. Select the MQ broker and go to settings page.
  4. In the Details tab, go to the CloudWatch Logs section to status for General and Audit logs.

In Terraform -

  1. In the aws_mq_broker resource, create a logs block.
  2. Set the logs.general field to true.
  3. For ActiveMQ, set the logs.audit field to true.

References:
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/security-logging-monitoring.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker#logs

Policy Details

Rule Reference ID: AC_AWS_0174
CSP: AWS
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: aws_mq_broker
Resource Category: Messaging
Resource Type: Managed Message Broker Service (MQ)

Frameworks