Security best practices for Amazon MQ
The following design patterns can improve the security of your Amazon MQ broker.
Topics
For more information about how Amazon MQ encrypts your data, as well as a list of supported protocols, see Data Protection.
Prefer brokers without public accessibility
Brokers created without public accessibility can't be accessed from outside of
your VPC. This greatly
reduces your broker's susceptibility to Distributed Denial of Service (DDoS) attacks
from the public internet. For more information, see Accessing the Amazon MQ broker web console without public
accessibility
in this guide and How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
Always configure an authorization map
Because ActiveMQ has no authorization map configured by default, any authenticated
user can perform any action on the broker. Thus, it is a best practice to restrict
permissions by group. For more information, see authorizationEntry.
Important
If you specify an authorization map which doesn't include the
activemq-webconsole group, you can't use the ActiveMQ Web Console because the group isn't authorized to send
messages to, or receive messages from, the Amazon MQ broker.
Block unnecessary protocols with VPC security groups
To improve security, you should restrict the connections of unnecessary protocols and ports by properly configuring your Amazon VPC Security Group. For instance, to restrict access to most protocols while allowing access to OpenWire and the web console, you could allow access to only 61617 and 8162. This limits your exposure by blocking protocols you are not using, while allowing OpenWire and the web console to function normally.
Allow only the protocol ports that you are using.
-
AMQP: 5671
-
MQTT: 8883
-
OpenWire: 61617
-
STOMP: 61614
-
WebSocket: 61619
For more information see:
