MQ Brokers Should Stream Audit Logs to CloudWatch
Overview
This check verifies that your Amazon MQ brokers have CloudWatch logging enabled. Amazon MQ supports two types of logs:
- General logs: Capture broker activity and connection information (applies to both ActiveMQ and RabbitMQ)
- Audit logs: Record user management actions made through JMX or the ActiveMQ Web Console (ActiveMQ only)
Streaming these logs to CloudWatch gives you visibility into broker operations and helps you detect security issues.
Risk
Without CloudWatch logging enabled, you lose visibility into:
- Authentication events and failed login attempts
- Administrative changes to broker configuration
- Broker failures and performance issues
- Suspicious activity that could indicate a security breach
This creates blind spots that make it difficult to investigate incidents or detect when something goes wrong.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify Amazon MQ brokers
- The broker may require a reboot after enabling logging (plan for a brief maintenance window)
AWS Console Method
- Open the Amazon MQ console
- In the left navigation, choose Brokers
- Select the broker you want to update
- Choose Edit
- Scroll down to Log settings
- For ActiveMQ brokers: Enable both General logs and Audit logs
- For RabbitMQ brokers: Enable General logs (audit logs are not available)
- Choose Save
- If prompted, approve the broker reboot to apply changes
AWS CLI (optional)
Enable logging for an ActiveMQ broker:
aws mq update-broker \
--broker-id <your-broker-id> \
--logs Audit=true,General=true \
--region us-east-1
Enable logging for a RabbitMQ broker:
aws mq update-broker \
--broker-id <your-broker-id> \
--logs General=true \
--region us-east-1
Find your broker ID:
aws mq list-brokers --region us-east-1
CloudFormation (optional)
The following CloudFormation template creates an Amazon MQ broker with logging enabled. For existing brokers, add or update the Logs property.
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon MQ Broker with CloudWatch Logging Enabled
Parameters:
BrokerName:
Type: String
Description: Name of the Amazon MQ broker
Default: my-mq-broker
EngineType:
Type: String
Description: Broker engine type
AllowedValues:
- ACTIVEMQ
- RABBITMQ
Default: ACTIVEMQ
HostInstanceType:
Type: String
Description: Instance type for the broker
Default: mq.t3.micro
Username:
Type: String
Description: Admin username for the broker
NoEcho: true
Password:
Type: String
Description: Admin password for the broker
NoEcho: true
MinLength: 12
Conditions:
IsActiveMQ: !Equals [!Ref EngineType, 'ACTIVEMQ']
Resources:
MQBroker:
Type: AWS::AmazonMQ::Broker
Properties:
BrokerName: !Ref BrokerName
EngineType: !Ref EngineType
EngineVersion: !If [IsActiveMQ, '5.17.6', '3.11.20']
HostInstanceType: !Ref HostInstanceType
DeploymentMode: SINGLE_INSTANCE
PubliclyAccessible: false
AutoMinorVersionUpgrade: true
Users:
- Username: !Ref Username
Password: !Ref Password
Logs:
General: true
Audit: !If [IsActiveMQ, true, !Ref 'AWS::NoValue']
Outputs:
BrokerId:
Description: ID of the Amazon MQ broker
Value: !Ref MQBroker
BrokerArn:
Description: ARN of the Amazon MQ broker
Value: !GetAtt MQBroker.Arn
Key configuration:
Logs.General: trueenables general logging (required for both engine types)Logs.Audit: trueenables audit logging (ActiveMQ only)
Terraform (optional)
ActiveMQ broker with logging:
resource "aws_mq_broker" "activemq" {
broker_name = "my-activemq-broker"
engine_type = "ActiveMQ"
engine_version = "5.17.6"
host_instance_type = "mq.t3.micro"
deployment_mode = "SINGLE_INSTANCE"
publicly_accessible = false
auto_minor_version_upgrade = true
user {
username = var.username
password = var.password
}
# Enable CloudWatch logging - both audit and general for ActiveMQ
logs {
general = true
audit = true
}
}
RabbitMQ broker with logging:
resource "aws_mq_broker" "rabbitmq" {
broker_name = "my-rabbitmq-broker"
engine_type = "RabbitMQ"
engine_version = "3.11.20"
host_instance_type = "mq.t3.micro"
deployment_mode = "SINGLE_INSTANCE"
publicly_accessible = false
auto_minor_version_upgrade = true
user {
username = var.username
password = var.password
}
# Enable CloudWatch logging - only general logs for RabbitMQ
logs {
general = true
}
}
To update an existing broker, add the logs block to your existing resource configuration and run terraform apply.
Verification
After enabling logging, verify the configuration:
- In the Amazon MQ console, select your broker
- Check the Log settings section to confirm logging is enabled
- Navigate to CloudWatch Logs in the AWS Console
- Look for log groups named
/aws/amazonmq/broker/<broker-id>/*
CLI verification commands
# Check broker logging configuration
aws mq describe-broker \
--broker-id <your-broker-id> \
--region us-east-1 \
--query 'Logs'
# Expected output for ActiveMQ:
# {
# "Audit": true,
# "General": true
# }
# List CloudWatch log groups for your broker
aws logs describe-log-groups \
--log-group-name-prefix "/aws/amazonmq/broker" \
--region us-east-1
Additional Resources
- Amazon MQ Logging Documentation
- CloudWatch Logs for Amazon MQ
- Amazon MQ Best Practices
- Prowler Check Documentation
Notes
- Reboot required: Enabling logging may require a broker reboot. Plan for a brief service interruption.
- Engine differences: RabbitMQ brokers only support general logs. Audit logs are only available for ActiveMQ.
- Log retention: Configure CloudWatch Logs retention policies to manage storage costs. By default, logs are retained indefinitely.
- IAM permissions: Amazon MQ automatically creates the necessary IAM service-linked role to write logs to CloudWatch.