For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-mq-broker-is-publicly-accessible.md.
A documentation index is available at /llms.txt.
Amazon MQ brokers must not be publicly accessible because exposing a broker to the public internet increases the attack surface and can allow unauthorized access to messages and management interfaces. Check the PubliclyAccessible property on AWS::AmazonMQ::Broker resources. It must be omitted or set to false. Resources with PubliclyAccessible set to true will be flagged as a security risk.
AWSTemplateFormatVersion:"2010-09-09"Description:"Create a basic ActiveMQ broker"Resources:BasicBroker:Type:"AWS::AmazonMQ::Broker"Properties:AutoMinorVersionUpgrade:"false"BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEncryptionOptions:UseAwsOwnedKey:trueEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:falseUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"
{"AWSTemplateFormatVersion":"2010-09-09","Description":"Create a basic ActiveMQ broker","Resources":{"BasicBroker2":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EncryptionOptions":{"UseAwsOwnedKey":true},"EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"AutoMinorVersionUpgrade":"false"}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Description:"Create a basic ActiveMQ broker"Resources:BasicBroker:Type:"AWS::AmazonMQ::Broker"Properties:AutoMinorVersionUpgrade:"false"BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEncryptionOptions:UseAwsOwnedKey:trueEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:trueUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"
{"AWSTemplateFormatVersion":"2010-09-09","Description":"Create a basic ActiveMQ broker","Resources":{"BasicBroker2":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EncryptionOptions":{"UseAwsOwnedKey":true},"EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"AutoMinorVersionUpgrade":"false","PubliclyAccessible":true}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
