Ensure Amazon MQ Broker logging is enabled

Error: Amazon MQ Broker logging is not enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_10
Checkov Check ID: CKV_AWS_48
Severity: MEDIUM

Amazon MQ Broker logging is not enabled

Description

Amazon MQ is a broker service built on Apache ActiveMQ. As a message broker, MQ allows applications to communicate using various programming languages, operating systems and formal messaging protocols.

Amazon MQ is integrated with CloudTrail and provides a record of the Amazon MQ calls made by a user, role, or AWS service. It supports logging both the request parameters and the responses for APIs as events in CloudTrail. Logging MQ ensures developers can trace all requests and responses, and ensure they are only used for their predefined message brokering settings.

We recommend you enable Amazon MQ Broker Logging.

Fix - Buildtime

Terraform

resource "aws_mq_broker" "enabled" {
  broker_name        = "example"
  engine_type        = "ActiveMQ"
  engine_version     = "5.16.3"
  host_instance_type = "mq.t3.micro"

  user {
    password = "admin123"
    username = "admin"
  }

  logs {
    general = true
  }
}