Detections
Analytics

Ensure customer owned KMS key is used for encrypting AWS MQ Brokers

HIGH

Description

Message brokers if not encrypted with customer managed KMS CMKs can impact the confidentiality of the data.

Remediation

This configuration setting only applies to the ActiveMQ engine and the encryption configuration can only be set upon broker creation. To create a new broker, follow the steps below.

In AWS Console -

  1. Sign in to the AWS Console and open the MQ Console.
  2. Under Brokers, select Create brokers.
  3. Choose Apache ActiveMQ.
  4. Select Active/standby broker under deployment mode and select Next.
  5. Expand the Additional Settings configuration and under Encryption choose Customer managed CMKs.
  6. Choose the KMS key to be used from the drop-down list.
  7. Continue configuring as needed and save.

In Terraform -

  1. In the aws_mq_broker resource, create an encryption_options block.
  2. Set the use_aws_owned_key field to false and enter the ARN for the KMS key in the kms_key_id field.

References:
https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/data-protection.html#data-protection-encryption-at-rest
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker#encryption_options

Policy Details

Rule Reference ID: AC_AWS_0178
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_mq_broker
Resource Category: Messaging
Resource Type: Managed Message Broker Service (MQ)

Frameworks