IAM Permissions Required to Create an Amazon MQ Broker REST API permissions reference Supported resource-level permissions

API authentication and authorization for Amazon MQ

Amazon MQ uses standard AWS request signing for API authentication. For more information, see Signing AWS API Requests in the AWS General Reference.

Note

Currently, Amazon MQ doesn't support IAM authentication using resource-based permissions or resource-based policies.

To authorize AWS users to work with brokers, configurations, and users, you must edit your IAM policy permissions.

Topics

IAM Permissions Required to Create an Amazon MQ Broker
Amazon MQ REST API permissions reference
Resource-level permissions for Amazon MQ API actions

IAM Permissions Required to Create an Amazon MQ Broker

To create a broker, you must either use the AmazonMQFullAccess IAM policy or include the following EC2 permissions in your IAM policy.

The following custom policy is comprised of two statements (one conditional) which grant permissions to manipulate the resources which Amazon MQ requires to create an ActiveMQ broker.

Important

The ec2:CreateNetworkInterface action is required to allow Amazon MQ to create an elastic network interface (ENI) in your account on your behalf.
The ec2:CreateNetworkInterfacePermission action authorizes Amazon MQ to attach the ENI to an ActiveMQ broker.
The ec2:AuthorizedService condition key ensures that ENI permissions can be granted only to Amazon MQ service accounts.


{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "mq:*",
            "ec2:CreateNetworkInterface",
            "ec2:DeleteNetworkInterface",
            "ec2:DetachNetworkInterface",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcs"
        ],
        "Effect": "Allow",
        "Resource": "*"
    },{
        "Action": [
            "ec2:CreateNetworkInterfacePermission",
            "ec2:DeleteNetworkInterfacePermission",
            "ec2:DescribeNetworkInterfacePermissions"
        ],
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:AuthorizedService": "mq.amazonaws.com"
            }
        }
    }]
}

For more information, see Step 2: create a user and get your AWS credentials and Never Modify or Delete the Amazon MQ Elastic Network Interface.

Amazon MQ REST API permissions reference

The following table lists Amazon MQ REST APIs and the corresponding IAM permissions.

Amazon MQ REST APIs and Required Permissions
Amazon MQ REST APIs	Required Permissions
`CreateBroker`	`mq:CreateBroker`
`CreateConfiguration`	`mq:CreateConfiguration`
`CreateTags`	`mq:CreateTags`
`CreateUser`	`mq:CreateUser`
`DeleteBroker`	`mq:DeleteBroker`
`DeleteUser`	`mq:DeleteUser`
`DescribeBroker`	`mq:DescribeBroker`
`DescribeConfiguration`	`mq:DescribeConfiguration`
`DescribeConfigurationRevision`	`mq:DescribeConfigurationRevision`
`DescribeUser`	`mq:DescribeUser`
`ListBrokers`	`mq:ListBrokers`
`ListConfigurationRevisions`	`mq:ListConfigurationRevisions`
`ListConfigurations`	`mq:ListConfigurations`
`ListTags`	`mq:ListTags`
`ListUsers`	`mq:ListUsers`
`RebootBroker`	`mq:RebootBroker`
`UpdateBroker`	`mq:UpdateBroker`
`UpdateConfiguration`	`mq:UpdateConfiguration`
`UpdateUser`	`mq:UpdateUser`

Resource-level permissions for Amazon MQ API actions

The term resource-level permissions refers to the ability to specify the resources on which users are allowed to perform actions. Amazon MQ has partial support for resource-level permissions. For certain Amazon MQ actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use.

The following table describes the Amazon MQ API actions that currently support resource-level permissions, as well as the supported resources, resource ARNs, and condition keys for each action.

Important

If an Amazon MQ API action is not listed in this table, then it does not support resource-level permissions. If an Amazon MQ API action does not support resource-level permissions, you can grant users permission to use the action, but you have to specify a * wildcard for the resource element of your policy statement.

API Action	Resource Types (*required)
`CreateConfiguration`	configurations*
`CreateTags`	brokers, configurations
`CreateUser`	brokers*
`DeleteBroker`	brokers*
`DeleteUser`	brokers*
`DescribeBroker`	brokers*
`DescribeConfiguration`	configurations*
`DescribeConfigurationRevision`	configurations*
`DescribeUser`	brokers*
`ListConfigurationRevisions`	configurations*
`ListConfigurationRevisions`	configurations*
`ListTags`	brokers, configurations
`ListUsers`	brokers*
`RebootBroker`	brokers*
`UpdateBroker`	brokers*
`UpdateConfiguration`	configurations*
`UpdateUser`	brokers*

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity-based policy examples

AWS managed policies