MQ Broker Logging Disabled

  • Query id: 31245f98-a6a9-4182-9fc1-45482b9d030a
  • Query name: MQ Broker Logging Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_mq_broker" "positive1" {
  broker_name = "no-logging"
}

resource "aws_mq_broker" "positive2" {
  broker_name = "partial-logging"

  logs {
      general = true
  }
}

resource "aws_mq_broker" "positive3" {
  broker_name = "disabled-logging"

  logs {
      general = false
      audit = true
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_mq_broker" "negative1" {
  broker_name = "example"

  configuration {
    id       = aws_mq_configuration.test.id
    revision = aws_mq_configuration.test.latest_revision
  }

  engine_type        = "ActiveMQ"
  engine_version     = "5.15.0"
  host_instance_type = "mq.t2.micro"
  security_groups    = [aws_security_group.test.id]

  user {
    username = "ExampleUser"
    password = "MindTheGap"
  }

  logs {
      general = true
      audit = true
  }
}