MQ Broker Is Publicly Accessible
- Query id: 68b6a789-82f8-4cfd-85de-e95332fe6a61
- Query name: MQ Broker Is Publicly Accessible
- Platform: CloudFormation
- Severity: High
- Category: Insecure Configurations
- CWE: 668
- URL: Github
Description¶
Check if any MQ Broker is not publicly accessible
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create a basic ActiveMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EncryptionOptions:
UseAwsOwnedKey: true
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: true
Users:
-
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a basic ActiveMQ broker",
"Resources": {
"BasicBroker2": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EncryptionOptions": {
"UseAwsOwnedKey": true
},
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password": {
"Ref": "BrokerPassword"
},
"Username": {
"Ref": "BrokerUsername"
}
}
],
"AutoMinorVersionUpgrade": "false",
"PubliclyAccessible": true
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create a basic ActiveMQ broker"
Resources:
BasicBroker:
Type: "AWS::AmazonMQ::Broker"
Properties:
AutoMinorVersionUpgrade: "false"
BrokerName: MyBasicBroker
DeploymentMode: SINGLE_INSTANCE
EncryptionOptions:
UseAwsOwnedKey: true
EngineType: ActiveMQ
EngineVersion: "5.15.0"
HostInstanceType: mq.t2.micro
PubliclyAccessible: false
Users:
-
ConsoleAccess: "true"
Groups:
- MyGroup
Password:
Ref: "BrokerPassword"
Username:
Ref: "BrokerUsername"
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create a basic ActiveMQ broker",
"Resources": {
"BasicBroker2": {
"Type": "AWS::AmazonMQ::Broker",
"Properties": {
"BrokerName": "MyBasicBroker",
"DeploymentMode": "SINGLE_INSTANCE",
"EncryptionOptions": {
"UseAwsOwnedKey": true
},
"EngineType": "ActiveMQ",
"EngineVersion": "5.15.0",
"HostInstanceType": "mq.t2.micro",
"Users": [
{
"ConsoleAccess": "true",
"Groups": [
"MyGroup"
],
"Password": {
"Ref": "BrokerPassword"
},
"Username": {
"Ref": "BrokerUsername"
}
}
],
"AutoMinorVersionUpgrade": "false"
}
}
}
}