API authentication and authorization for Amazon MQ - Amazon MQ

API authentication and authorization for Amazon MQ

Amazon MQ uses standard AWS request signing for API authentication. For more information, see Signing AWS API Requests in the AWS General Reference.


Currently, Amazon MQ doesn't support IAM authentication using resource-based permissions or resource-based policies.

To authorize AWS users to work with brokers, configurations, and users, you must edit your IAM policy permissions.

IAM Permissions Required to Create an Amazon MQ Broker

To create a broker, you must either use the AmazonMQFullAccess IAM policy or include the following EC2 permissions in your IAM policy.

The following custom policy is comprised of two statements (one conditional) which grant permissions to manipulate the resources which Amazon MQ requires to create an ActiveMQ broker.

  • The ec2:CreateNetworkInterface action is required to allow Amazon MQ to create an elastic network interface (ENI) in your account on your behalf.

  • The ec2:CreateNetworkInterfacePermission action authorizes Amazon MQ to attach the ENI to an ActiveMQ broker.

  • The ec2:AuthorizedService condition key ensures that ENI permissions can be granted only to Amazon MQ service accounts.

{ "Version": "2012-10-17", "Statement": [{ "Action": [ "mq:*", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" },{ "Action": [ "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfacePermissions" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:AuthorizedService": "mq.amazonaws.com" } } }] }

For more information, see Step 2: create a user and get your AWS credentials and Never Modify or Delete the Amazon MQ Elastic Network Interface.

Amazon MQ REST API permissions reference

The following table lists Amazon MQ REST APIs and the corresponding IAM permissions.

Amazon MQ REST APIs and Required Permissions
Amazon MQ REST APIs Required Permissions
CreateBroker mq:CreateBroker
CreateConfiguration mq:CreateConfiguration
CreateTags mq:CreateTags
CreateUser mq:CreateUser
DeleteBroker mq:DeleteBroker
DeleteUser mq:DeleteUser
DescribeBroker mq:DescribeBroker
DescribeConfiguration mq:DescribeConfiguration
DescribeConfigurationRevision mq:DescribeConfigurationRevision
DescribeUser mq:DescribeUser
ListBrokers mq:ListBrokers
ListConfigurationRevisions mq:ListConfigurationRevisions
ListConfigurations mq:ListConfigurations
ListTags mq:ListTags
ListUsers mq:ListUsers
RebootBroker mq:RebootBroker
UpdateBroker mq:UpdateBroker
UpdateConfiguration mq:UpdateConfiguration
UpdateUser mq:UpdateUser

Resource-level permissions for Amazon MQ API actions

The term resource-level permissions refers to the ability to specify the resources on which users are allowed to perform actions. Amazon MQ has partial support for resource-level permissions. For certain Amazon MQ actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use.

The following table describes the Amazon MQ API actions that currently support resource-level permissions, as well as the supported resources, resource ARNs, and condition keys for each action.


If an Amazon MQ API action is not listed in this table, then it does not support resource-level permissions. If an Amazon MQ API action does not support resource-level permissions, you can grant users permission to use the action, but you have to specify a * wildcard for the resource element of your policy statement.