Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

MQ Desired Broker Instance Type

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MQ-006

Determine if the Amazon MQ broker instances provisioned in your AWS account have the desired instance type established within your organization based on the workload deployed (in this case Apache ActiveMQ workload). An MQ broker instance is a broker environment running in the AWS cloud. Cloud Conformity allows you to define the desired MQ broker instance type based on your workload requirements upon enabling the conformity rule.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security

Setting limits for the type of Amazon MQ broker instances created in your AWS account will help you address internal compliance requirements and prevent unexpected charges on your AWS bill.

Note 1: You can also limit your MQ broker instances to the desired type using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your AWS organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired broker instance type used as example in this conformity rule is mq.m5.large. To meet your own organizational requirements, you will need to configure this rule with your desired broker instance type, using the rule configuration settings available on the Cloud Conformity account dashboard.

Audit

To determine if the AWS MQ broker instances launched in your AWS account have the desired instance type, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to MQ dashboard at https://console.aws.amazon.com/amazon-mq/.

03 In the navigation panel, under Amazon MQ, click Brokers.

04 On the Brokers listing page, check the instance type value for each MQ broker instance available, listed in the Instance type column. If the configuration value listed in the Instance type column is not the same for all the existing brokers, the Amazon MQ broker instances available in the current AWS region were not created using the desired instance type, therefore actions must be taken in order to create an AWS support case to limit the provisioning process of the MQ broker instances only to the desired type (see Remediation/Resolution section).

05 Change the AWS region from the navigation bar and repeat step no. 4 for all other regions.

Using AWS CLI

01 Run list-brokers command (OSX/Linux/UNIX) using custom query filters to describe the type of each AWS MQ broker instance available in the selected AWS region: 

aws mq list-brokers
	--region us-east-1
	--output table
	--query 'BrokerSummaries[*].HostInstanceType'

02 The command output should return a table with the MQ broker instance type(s) available: 

-------------------
|   ListBrokers   |
+-----------------+
|  mq.m5.2xlarge  |
|  mq.m5.large    |
+-----------------+

If the instance type(s) listed in the command output table is not the same for all existing broker instances, the Amazon MQ broker instances available in the selected region were not created using the desired type, therefore actions must be taken to raise an AWS support case in order to limit MQ brokers creation to the required instance type only.

03 Repeat step no. 1 and 2 to perform the audit process for all other AWS regions.

Remediation / Resolution

To limit the Amazon MQ broker instances that will be launched in your AWS account to a desired instance type, perform the following:

Note: Creating a support case to request the necessary instance type limitation using the AWS cloud API via Command Line Interface (CLI) is not currently supported by AWS.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Support Center page, perform the following actions:

  1. Select My support cases tab and click Create case button to initiate the request process.
  2. Under Create case, select Account and Billing Support option.
  3. In the Case classification section, select Account from the Type dropdown list and Other Account Issues from the Category dropdown list.
  4. Within Case description section, enter the request subject, e.g. "Limit MQ brokers launch process to a desired instance type" in the Subject box, and provide a brief description where you explain why you need to limit the creation of Neptune instances to a specific class in the Description area. This will help the AWS support team to evaluate quickly your case.
  5. In the Contact options section, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support can use to respond to your request. You can either choose to be contacted via email and AWS Support Center or via phone call.
  6. Click Submit to send the limit request to Amazon Web Services.

References

Publication date Mar 17, 2019

Related MQ rules