MQ brokers should not be publicly accessible
- GG_ID: GG_IAC_0053
- Severity: HIGH
- Complexity: LOW
- Categories: NETWORK
- Providers: AWS
- Potential data exposure: False
- Visible in logs: True
- User interaction required: False
- Privileges required: False
Description#
Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.
Leaving the broker publicly accessible can allow attackers to reach it through public internet. It greatly increases its susceptibility to distributed denial of service (DDoS) attacks on the service. In case other vulnerabilities are also present in the service, this would facilite their exploitation.
Impact#
- Denial of service.
- possibility of code injection in case of credential leak.
- possibility of compromised service in case of credential leak.
Remediation guidelines#
Since it is not possible to change the public accessibility of an existing broker, a new one must be created as a replacement. When configuring the broker, the public accessibility option must be disabled. See https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-creating-configuring-broker.html for more details.