Back to All Checks
Medium Identify Regional

ActiveMQ brokers should stream audit logs to CloudWatch

NIST 800-53PCI DSS v4.0.1PCI DSS v10.3.3ISO 27001HIPAA

Description

This control checks whether an Amazon MQ ActiveMQ broker streams audit logs to Amazon CloudWatch Logs. The control fails if the broker doesn't stream audit logs to CloudWatch Logs. By publishing ActiveMQ broker logs to CloudWatch Logs, you can create CloudWatch alarms and metrics that increase the visibility of security-related information.

Remediation

To remediate ActiveMQ brokers without audit logs streaming to CloudWatch, you need to enable audit logging for the broker.

Steps

  1. Navigate to the Amazon MQ console
  2. Select the ActiveMQ broker that needs remediation
  3. Click on 'Edit' or 'Modify' broker
  4. Go to 'Logs' settings
  5. Enable 'Audit' logging
  6. Configure CloudWatch Logs destination
  7. Set up log groups and retention policies
  8. Review the logging configuration
  9. Apply the changes to the broker
  10. Verify audit logs are streaming to CloudWatch

Compliance

NIST 800-53PCI DSS v4.0.1PCI DSS v10.3.3ISO 27001HIPAA
Start Your Free Security Check