For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-mq-broker-logging-disabled.md.
A documentation index is available at /llms.txt.
Amazon MQ brokers must have audit and general logging enabled so broker activity and security events are recorded for detection and investigation, and to support compliance and forensic requirements. In AWS CloudFormation, the AWS::AmazonMQ::Broker resource must include the Logs property with both Audit and General defined and set to true. Resources missing Logs, missing either Audit or General, or with either value set to false will be flagged.
AWSTemplateFormatVersion:"2010-09-09"Description:"Create a basic ActiveMQ broker"Resources:BasicBroker:Type:"AWS::AmazonMQ::Broker"Properties:AutoMinorVersionUpgrade:"false"BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEncryptionOptions:UseAwsOwnedKey:trueEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:falseUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"Logs:General:trueAudit:true
{"AWSTemplateFormatVersion":"2010-09-09","Description":"Create a basic ActiveMQ broker","Resources":{"BasicBroker2":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EncryptionOptions":{"UseAwsOwnedKey":true},"EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"AutoMinorVersionUpgrade":"false","Logs":{"General":true,"Audit":true}}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:"2010-09-09"Description:"Create a basic ActiveMQ broker"Resources:BasicBroker3:Type:"AWS::AmazonMQ::Broker"Properties:BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:falseUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"Logs:General:trueBasicBroker4:Type:"AWS::AmazonMQ::Broker"Properties:BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:falseUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"Logs:Audit:trueBasicBroker5:Type:"AWS::AmazonMQ::Broker"Properties:BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:falseUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"Logs:General:falseAudit:trueBasicBroker6:Type:"AWS::AmazonMQ::Broker"Properties:BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:falseUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"Logs:Audit:falseGeneral:trueBasicBroker7:Type:"AWS::AmazonMQ::Broker"Properties:BrokerName:MyBasicBrokerDeploymentMode:SINGLE_INSTANCEEngineType:ActiveMQEngineVersion:"5.15.0"HostInstanceType:mq.t2.microPubliclyAccessible:falseUsers:-ConsoleAccess:"true"Groups:- MyGroupPassword:Ref:"BrokerPassword"Username:Ref:"BrokerUsername"
{"AWSTemplateFormatVersion":"2010-09-09","Description":"Create a basic ActiveMQ broker","Resources":{"BasicBroker8":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"PubliclyAccessible":false,"Logs":{"General":true}}},"BasicBroker9":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"PubliclyAccessible":false,"Logs":{"Audit":true}}},"BasicBroker10":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"PubliclyAccessible":false,"Logs":{"General":false,"Audit":true}}},"BasicBroker11":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"PubliclyAccessible":false,"Logs":{"General":true,"Audit":false}}},"BasicBroker12":{"Type":"AWS::AmazonMQ::Broker","Properties":{"BrokerName":"MyBasicBroker","DeploymentMode":"SINGLE_INSTANCE","EngineType":"ActiveMQ","EngineVersion":"5.15.0","HostInstanceType":"mq.t2.micro","Users":[{"ConsoleAccess":"true","Groups":["MyGroup"],"Password":{"Ref":"BrokerPassword"},"Username":{"Ref":"BrokerUsername"}}],"PubliclyAccessible":false}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
