Amazon MQ
Developer Guide

API Authentication and Authorization for Amazon MQ

Amazon MQ uses standard AWS request signing for API authentication. For more information, see Signing AWS API Requests in the AWS General Reference.

Note

Currently, Amazon MQ doesn't support IAM authentication using resource-based permissions or resource-based policies.

To authorize AWS users to work with brokers, configurations, and users, you must edit your IAM policy permissions.

IAM Permissions Required to Create an Amazon MQ Broker

To create a broker, you must either use the AmazonMQFullAccess IAM policy or include the following EC2 permissions in your IAM policy.

The following custom policy is comprised of two statements (one conditional) which grant permissions to manipulate the resources which Amazon MQ requires to create an ActiveMQ broker.

Important

  • The ec2:CreateNetworkInterface action is required to allow Amazon MQ to create an elastic network interface (ENI) in your account on your behalf.

  • The ec2:CreateNetworkInterfacePermission action authorizes Amazon MQ to attach the ENI to an ActiveMQ broker.

  • The ec2:AuthorizedService condition key ensures that ENI permissions can be granted only to Amazon MQ service accounts.

{ "Version": "2012-10-17", "Statement": [{ "Action": [ "mq:*", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" },{ "Action": [ "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfacePermission" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:AuthorizedService": "mq.amazonaws.com" } } }] }

For more information, see Create an IAM User and Get Your AWS Credentials and Never Modify or Delete the Amazon MQ Elastic Network Interface.

Amazon MQ REST API Permissions Reference

The following table lists Amazon MQ REST APIs and the corresponding IAM permissions.

Amazon MQ REST APIs and Required Permissions

Amazon MQ REST APIs Required Permissions
CreateBroker mq:CreateBroker
CreateConfiguration mq:CreateConfiguration
CreateUser mq:CreateUser
DeleteBroker mq:DeleteBroker
DeleteUser mq:DeleteUser
DescribeBroker mq:DescribeBroker
DescribeConfiguration mq:DescribeConfiguration
DescribeConfigurationRevision mq:DescribeConfigurationRevision
DescribeUser mq:DescribeUser
ListBrokers mq:ListBrokers
ListConfigurationRevisions mq:ListConfigurationRevisions
ListConfigurations mq:ListConfigurations
ListUsers mq:ListUsers
RebootBroker mq:RebootBroker
UpdateBroker mq:UpdateBroker
UpdateConfiguration mq:UpdateConfiguration
UpdateUser mq:UpdateUser