Amazon MQ
Developer Guide

Using Amazon MQ Securely

The following design patterns can improve the security of your Amazon MQ broker.

Prefer Brokers without Public Accessibility

Brokers created without public accessibility can't be accessed from outside of your VPC. This greatly reduces your broker's susceptibility to Distributed Denial of Service (DDoS) attacks from the public internet. For more information, see Accessing the ActiveMQ Web Console of a Broker without Public Accessibility in this guide and How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface on the AWS Security Blog.

Always Use Client-Side Encryption as a Complement to TLS

You can access your brokers using the following protocols with TLS enabled:

Amazon MQ encrypts messages at rest and in transit using encryption keys that it manages and stores securely. For additional security, we highly recommend designing your application to use client-side encryption. For more information, see the AWS Encryption SDK Developer Guide.

Always Configure an Authorization Map

Because ActiveMQ has no authorization map configured by default, any authenticated user can perform any action on the broker. Thus, it is a best practice to restrict permissions by group. For more information, see authorizationEntry.

Block Unnecessary Protocols with VPC Security Groups

To improve security, you should restrict the connections of unnecessary protocols and ports by properly configuring your Amazon VPC Security Group. For instance, to restrict access to most protocols while allowing access to OpenWire and the ActiveMQ web console, you could allow access to only 61617 and 8162. This limits your exposure by blocking protocols you are not using, while allowing OpenWire and the ActiveMQ web console to function normally.

Allow only the protocol ports that you are using.

  • AMQP: 5671

  • MQTT: 8883

  • OpenWire: 61617

  • STOMP: 61614

  • WebSocket: 61619

For more information see.