AWS amazon-mq documentation change
Summary
Added detailed instructions for accessing private Amazon MQ brokers via SSH tunneling and proxy configuration. Includes security guidance for console access without public exposure.
Security assessment
Provides security best practices for private broker access through secure tunneling mechanisms. While not fixing a specific vulnerability, it enhances security documentation by explaining secure access patterns. The added warning about infrastructure IP addresses helps prevent misconfiguration concerns.
Diff
diff --git a/amazon-mq/latest/developer-guide/configuring-private-broker.md b/amazon-mq/latest/developer-guide/configuring-private-broker.md index eff37c390..644a84c47 100644 --- a//amazon-mq/latest/developer-guide/configuring-private-broker.md +++ b//amazon-mq/latest/developer-guide/configuring-private-broker.md @@ -5 +5 @@ -Configuring a private broker in the AWS Management Console +Configuring a private broker in the AWS Management ConsoleAccessing the Amazon MQ broker web console without public accessibility @@ -62,0 +63,39 @@ Amazon MQ for ActiveMQ does not use VPC endpoints. When you first create an Acti +## Accessing the Amazon MQ broker web console without public accessibility + +When you turn off public accessibility for your broker, the AWS account ID that created the broker can access the private broker. If you turn off public accessibility for your broker, you must perform the following steps to access the broker web console. + + 1. Create a Linux EC2 instance in `public-vpc` (with a public IP, if necessary). + + 2. To verify that your VPC is configured correctly, establish an `ssh` connection to the EC2 instance and use the `curl` command with the URI of your broker. + + 3. From your machine, create an `ssh` tunnel to the EC2 instance using the path to your private key file and the IP address of your public EC2 instance. For example: + + ssh -i ~/.ssh/id_rsa -N -C -q -f -D 8080 [email protected] + +A forward proxy server is started on your machine. + + 4. Install a proxy client such as [FoxyProxy](https://getfoxyproxy.org/) on your machine. + + 5. Configure your proxy client using the following settings: + + * For proxy type, specify `SOCKS5`. + + * For IP address, DNS name, and server name, specify `localhost`. + + * For port, specify `8080`. + + * Remove any existing URL patterns. + + * For the URL pattern, specify `*.mq.*.amazonaws.com*` + + * For the connection type, specify `HTTP(S)`. + +When you enable your proxy client, you can access the web console on your machine. + + + + +###### Important + +If you are using a private broker, you may see IP addresses that you did not configure with your VPC. These are IP addresses from the RabbitMQ on Amazon MQ infrastructure, and they require no action. +