MQ Broker Auto Minor Version Upgrades Should Be Enabled

Overview

This check verifies that your Amazon MQ brokers have automatic minor version upgrades enabled. When enabled, AWS automatically applies supported minor and patch engine updates during scheduled maintenance windows, keeping your message brokers secure and up to date.

Risk

Without automatic minor version upgrades, your brokers may run on outdated engine versions that contain known security vulnerabilities. This can lead to:

• Security exposure: Unpatched vulnerabilities could allow unauthorized access to messages
• Stability issues: Bug fixes and performance improvements are missed
• Compliance gaps: Running outdated software may violate security policies

Remediation Steps

Prerequisites

You need:

• Access to the AWS Console with permissions to modify Amazon MQ brokers, or
• AWS CLI configured with appropriate credentials

Required IAM permissions

Your IAM user or role needs the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mq:DescribeBroker",
        "mq:UpdateBroker",
        "mq:ListBrokers"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon MQ console
2. In the left navigation, click Brokers
3. Select the broker you want to update
4. Click Edit
5. Scroll to the Maintenance section
6. Check the box for Enable automatic minor version upgrades
7. Click Save

The setting will take effect during the next maintenance window or after a manual broker reboot.

AWS CLI

Enable auto minor version upgrade for an existing broker:

aws mq update-broker \
  --broker-id <your-broker-id> \
  --auto-minor-version-upgrade \
  --region us-east-1

Replace <your-broker-id> with your broker's unique ID (e.g., b-1234abcd-5678-efgh-9012-ijklmnopqrst).

To find your broker ID:

aws mq list-brokers --region us-east-1

CloudFormation

Set AutoMinorVersionUpgrade: true in your broker resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon MQ Broker with Auto Minor Version Upgrade Enabled

Parameters:
  BrokerName:
    Type: String
    Description: Name of the Amazon MQ broker
  EngineType:
    Type: String
    Default: ACTIVEMQ
    AllowedValues:
      - ACTIVEMQ
      - RABBITMQ
    Description: Message broker engine type
  EngineVersion:
    Type: String
    Default: '5.18'
    Description: Engine version for the broker
  HostInstanceType:
    Type: String
    Default: mq.t3.micro
    Description: Instance type for the broker
  Username:
    Type: String
    Description: Admin username for the broker
  Password:
    Type: String
    NoEcho: true
    Description: Admin password for the broker

Resources:
  MQBroker:
    Type: AWS::AmazonMQ::Broker
    Properties:
      BrokerName: !Ref BrokerName
      EngineType: !Ref EngineType
      EngineVersion: !Ref EngineVersion
      HostInstanceType: !Ref HostInstanceType
      AutoMinorVersionUpgrade: true
      DeploymentMode: SINGLE_INSTANCE
      PubliclyAccessible: false
      Users:
        - Username: !Ref Username
          Password: !Ref Password

Outputs:
  BrokerId:
    Description: The ID of the Amazon MQ broker
    Value: !Ref MQBroker
  BrokerArn:
    Description: The ARN of the Amazon MQ broker
    Value: !GetAtt MQBroker.Arn

Terraform

Set auto_minor_version_upgrade = true in your broker resource:

resource "aws_mq_broker" "main" {
  broker_name = var.broker_name

  engine_type         = var.engine_type
  engine_version      = var.engine_version
  host_instance_type  = var.host_instance_type
  deployment_mode     = "SINGLE_INSTANCE"
  publicly_accessible = false

  # Enable automatic minor version upgrades (required for this check)
  auto_minor_version_upgrade = true

  user {
    username = var.username
    password = var.password
  }
}

Variables:

variable "broker_name" {
  description = "Name of the Amazon MQ broker"
  type        = string
}

variable "engine_type" {
  description = "Message broker engine type (ActiveMQ or RabbitMQ)"
  type        = string
  default     = "ActiveMQ"
}

variable "engine_version" {
  description = "Engine version for the broker"
  type        = string
  default     = "5.18"
}

variable "host_instance_type" {
  description = "Instance type for the broker"
  type        = string
  default     = "mq.t3.micro"
}

variable "username" {
  description = "Admin username for the broker"
  type        = string
}

variable "password" {
  description = "Admin password for the broker"
  type        = string
  sensitive   = true
}

Verification

After making the change, verify that auto minor version upgrade is enabled:

1. In the Amazon MQ console, select your broker
2. Check that Automatic minor version upgrade shows as Enabled in the broker details

CLI verification

aws mq describe-broker \
  --broker-id <your-broker-id> \
  --query 'AutoMinorVersionUpgrade' \
  --region us-east-1

The output should be true.

Additional Resources

• Amazon MQ Developer Guide
• Amazon MQ Version Management
• Amazon MQ Maintenance Windows

Notes

• Version requirements: For ActiveMQ brokers version 5.18+ and RabbitMQ brokers version 3.13+, auto minor version upgrade must be enabled.
• Maintenance windows: Upgrades occur during scheduled maintenance windows. Plan your maintenance window for low-traffic periods to minimize impact.
• Testing recommendation: Test version upgrades in a staging environment before enabling auto-upgrades on production brokers.
• High availability: For production workloads, consider using an active/standby deployment mode to maintain availability during upgrades.