AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-10-25 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-properties-amazonmq-broker-user.md

Summary

Updated user requirements including OAuth 2.0 limitations, password field marked as required, and expanded username restrictions with explicit prohibition of 'guest' username

Security assessment

Explicit prohibition of 'guest' username addresses security best practices against default credentials. Password complexity requirements and OAuth 2.0 limitations directly relate to access control security measures.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-amazonmq-broker-user.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-amazonmq-broker-user.md
index c61d6c9e5..e9bd649c5 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-amazonmq-broker-user.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-amazonmq-broker-user.md
@@ -9 +9,3 @@ This is the new _AWS CloudFormation Template Reference Guide_. Please update you
-The list of broker users (persons or applications) who can access queues and topics. For Amazon MQ for RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created via the RabbitMQ web console or by using the RabbitMQ management API.
+The list of broker users (persons or applications) who can access queues and topics. For Amazon MQ for RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created by making RabbitMQ API calls directly to brokers or via the RabbitMQ web console.
+
+When OAuth 2.0 is enabled, the broker accepts one or no users.
@@ -43 +45 @@ To declare this entity in your AWS CloudFormation template, use the following sy
-Enables access to the ActiveMQ web console for the ActiveMQ user. Does not apply to RabbitMQ brokers.
+Enables access to the ActiveMQ Web Console for the ActiveMQ user. Does not apply to RabbitMQ brokers.
@@ -67 +69 @@ _Required_ : No
-The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas, colons, or equal signs (,:=).
+Required. The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas, colons, or equal signs (,:=).
@@ -93 +95,8 @@ _Required_ : No
-The username of the broker user. For Amazon MQ for ActiveMQ brokers, this value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). For Amazon MQ for RabbitMQ brokers, this value can contain only alphanumeric characters, dashes, periods, underscores (- . _). This value must not contain a tilde (~) character. Amazon MQ prohibts using guest as a valid usename. This value must be 2-100 characters long.
+The username of the broker user. The following restrictions apply to broker usernames:
+
+  * For Amazon MQ for ActiveMQ brokers, this value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long. 
+
+  * For Amazon MQ for RabbitMQ brokers, this value can contain only alphanumeric characters, dashes, periods, underscores (- . _). This value must not contain a tilde (~) character. Amazon MQ prohibts using `guest` as a valid usename. This value must be 2-100 characters long.
+
+
+