MQ Log Exports

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MQ console at https://console.aws.amazon.com/amazon-mq/.

03 In the main navigation panel, under Amazon MQ, click Brokers.

04 Click on the name (link) of the MQ broker that you want to examine.

05 In the Details section, check the configuration status for both General and Audit attributes, listed under CloudWatch Logs. If the configuration status for both attributes is set to Disabled, the Log Exports feature is not enabled for the selected Amazon MQ broker, therefore the ActiveMQ general and audit logs are not published to CloudWatch Logs.

06 Repeat steps no. 4 and 5 for each Amazon MQ broker available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other AWS regions.

01 Run list-brokers command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon MQ brokers available in the selected AWS region:

aws mq list-brokers
  --region us-east-1
  --query 'BrokerSummaries[*].BrokerId'

02 The command output should return the requested MQ broker IDs:

[
	"b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
	"b-bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"
]

03 Run describe-broker command (OSX/Linux/UNIX) using the ID of the Amazon MQ broker that you want to examine as the identifier parameter, to describe the Log Exports feature status (i.e. the configuration status for general and audit logs) for the selected MQ broker:

aws mq describe-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
  --query 'Logs.{General: General, Audit: Audit}'

04 The command output should return the requested configuration status (true for enabled, false for disabled):

{
	"Audit": false,
	"General": false
}

05 Repeat steps no. 3 and 4 for each Amazon MQ broker available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other AWS regions.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Log Exports",
	"Resources": {
		"MQBroker": {
			"Type": "AWS::AmazonMQ::Broker",
			"Properties": {
				"BrokerName": "cc-internal-broker",
				"DeploymentMode": "SINGLE_INSTANCE",
				"EngineType": "ActiveMQ",
				"EngineVersion": "5.15.0",
				"HostInstanceType": "mq.m5.large",
				"AutoMinorVersionUpgrade": "true",
				"Users": [
					{
						"Password": "brokeruser",
						"Username": "brokerpassword"
					}
				],
				"Logs": {
					"General": true,
					"Audit": true
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Log Exports
	Resources:
	MQBroker:
		Type: AWS::AmazonMQ::Broker
		Properties:
		BrokerName: cc-internal-broker
		DeploymentMode: SINGLE_INSTANCE
		EngineType: ActiveMQ
		EngineVersion: 5.15.0
		HostInstanceType: mq.m5.large
		AutoMinorVersionUpgrade: 'true'
		Users:
			- Password: brokeruser
			Username: brokerpassword
		Logs:
			General: true
			Audit: true

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_mq_broker" "mq-broker" {
	broker_name                = "cc-internal-broker"
	deployment_mode            = "SINGLE_INSTANCE"
	engine_type                = "ActiveMQ"
	engine_version             = "5.15.0"
	host_instance_type         = "mq.m5.large"
	auto_minor_version_upgrade = true

	user {
		username = "brokeruser"
		password = "brokerpassword"
	}

	# Enable Log Exports
	logs {
		general = true
		audit   = true
	}

}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon MQ console at https://console.aws.amazon.com/amazon-mq/.

03 In the main navigation panel, under Amazon MQ, click Brokers.

04 Select the Amazon MQ broker that you want to reconfigure and choose Edit from the top-right menu.

05 In the Logs section, select the General and Audit checkboxes under CloudWatch Logs to enable the Log Exports feature, i.e. enable log publishing to Amazon CloudWatch Logs.
Note: To allow Amazon MQ to post general and audit logs to CloudWatch Logs, you have to define a resource-based policy to give Amazon MQ access to "CreateLogStream" and "PutLogEvents" CloudWatch API actions, i.e.:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "mq.amazonaws.com"
			},
			"Action":[
				"logs:CreateLogStream",
				"logs:PutLogEvents"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*"
		}
	]
}

06 Choose Schedule modifications to continue the configuration process.

07 In the Schedule broker modifications section, perform one of the following actions based on your application requirements:

1. Select After the next reboot to apply the changes automatically during the next scheduled maintenance window. You can also reboot your MQ broker manually.
2. Select Immediately to apply the changes right away. Applying changes immediately reboots your Amazon MQ broker, therefore all incoming and outgoing connections are severed.

08 Choose Save to apply your configuration changes.

09 Repeat steps no. 4 – 8 to enable the Log Exports feature for each Amazon MQ broker available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

01 To allow Amazon MQ to post general and audit logs to CloudWatch Logs, you must define a resource-based policy to give Amazon MQ access to "CreateLogStream" and "PutLogEvents" CloudWatch API actions. To create the required resource-based policy, run the put-resource-policy command (OSX/Linux/UNIX) as follows:

aws logs put-resource-policy
  --region us-east-1
  --policy-name cc-amazon-mq-logs
  --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "mq.amazonaws.com" }, "Action": [ "logs:PutLogEvents", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/amazonmq/*" } ] }'

02 The command output should return the put-resource-policy command request metadata (including the implemented resource-based policy):

{
	"resourcePolicy": {
		"policyName": "cc-amazon-mq-logs",
		"policyDocument": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"mq.amazonaws.com\" }, \"Action\": [ \"logs:PutLogEvents\", \"logs:CreateLogStream\" ], \"Resource\": \"arn:aws:logs:*:*:log-group:/aws/amazonmq/*\" } ] }",
		"lastUpdatedTime": 1548322141899
	}
}

03 Run update-broker command (OSX/Linux/UNIX) to enable the Log Exports feature (i.e. enable log publishing to Amazon CloudWatch Logs) for the selected Amazon MQ broker:

aws mq update-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc
  --logs Audit=true,General=true

04 The command output should return the update-broker command request metadata:

{
	"BrokerId": "b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
	"Logs": {
		"Audit": true,
		"General": true
	}
}

05 (Optional) Run reboot-broker command (OSX/Linux/UNIX) if you want to apply the configuration changes immediately by rebooting the selected Amazon MQ broker. Otherwise, the changes are applied during the next scheduled maintenance window (the command does not produce an output):

aws mq reboot-broker
  --region us-east-1
  --broker-id b-aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc

06 Repeat steps no. 1 – 5 to enable the Log Exports feature for each Amazon MQ broker available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other AWS regions.