Amazon MQ
Developer Guide

Using Amazon MQ Securely

The following design patterns can improve the security of your Amazon MQ broker.

Prefer Brokers without Public Accessibility

Brokers created without public accessibility can't be accessed from outside of your VPC. This greatly reduces your broker's susceptibility to Distributed Denial of Service (DDoS) attacks from the public internet. For more information, see Accessing the ActiveMQ Web Console of a Broker without Public Accessibility in this guide and How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface on the AWS Security Blog.

Always Use Client-Side Encryption as a Complement to TLS

You can access your brokers using the following protocols with TLS enabled:

Amazon MQ encrypts messages at rest and in transit using encryption keys that it manages and stores securely. For additional security, we highly recommend designing your application to use client-side encryption. For more information, see the AWS Encryption SDK Developer Guide.

Always Configure an Authorization Map

Because ActiveMQ has no authorization map configured by default, any authenticated user can perform any action on the broker. Thus, it is a best practice to restrict permissions by group. For more information, see authorizationEntry.

Always Configure a System Group

Amazon MQ uses a system group (called activemq-webconsole) to allow the ActiveMQ Web Console to communicate with the ActiveMQ broker.

The settings for the activemq-webconsole group in the authorization map restrict which operations can be performed on queues or topics from the web console. For more information and an example configuration, see authorizationEntry.

Important

If you specify an authorization map which doesn't include the activemq-webconsole group, you can't use the ActiveMQ Web Console because the group isn't authorized to send messages to, or receive messages from, the Amazon MQ broker.

Block Unnecessary Protocols with VPC Security Groups

To improve security, you should restrict the connections of unnecessary protocols and ports by properly configuring your Amazon VPC Security Group. For instance, to restrict access to most protocols while allowing access to OpenWire and the ActiveMQ web console, you could allow access to only 61617 and 8162. This limits your exposure by blocking protocols you are not using, while allowing OpenWire and the ActiveMQ web console to function normally.

Allow only the protocol ports that you are using.

  • AMQP: 5671

  • MQTT: 8883

  • OpenWire: 61617

  • STOMP: 61614

  • WebSocket: 61619

For more information see.