AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-10-25 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.md

Summary

Added IAM policy requirements for broker creation, clarified security best practices for network interfaces, expanded automatic upgrade requirements, and updated user management documentation with OAuth 2.0 constraints

Security assessment

Changes explicitly add requirements for IAM policies (security controls), warn about ENI modification risks (security hardening), enforce patch versions for brokers (vulnerability management), and reference OAuth 2.0 authentication constraints (authZ improvements). These directly document security controls and configuration requirements.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.md
index b6f075c1d..3738c643d 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.md
@@ -9 +9 @@ This is the new _AWS CloudFormation Template Reference Guide_. Please update you
-A _broker_ is a message broker environment running on Amazon MQ. It is the basic building block of Amazon MQ.
+Creates a broker. Note: This API is asynchronous.
@@ -11 +11 @@ A _broker_ is a message broker environment running on Amazon MQ. It is the basic
-The `AWS::AmazonMQ::Broker` resource lets you create Amazon MQ for ActiveMQ and Amazon MQ for RabbitMQ brokers, add configuration changes or modify users for a speified ActiveMQ broker, return information about the specified broker, and delete the broker. For more information, see [How Amazon MQ works](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-how-it-works.html) in the _Amazon MQ Developer Guide_.
+To create a broker, you must either use the `AmazonMQFullAccess` IAM policy or include the following EC2 permissions in your IAM policy.
@@ -43,0 +44,2 @@ This permission is required to attach the ENI to the broker instance.
+For more information, see [Create an IAM User and Get Your AWS Credentials](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-setting-up.html#create-iam-user) and [Never Modify or Delete the Amazon MQ Elastic Network Interface](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/connecting-to-amazon-mq.html#never-modify-delete-elastic-network-interface) in the _Amazon MQ Developer Guide_.
+
@@ -130 +132,5 @@ _Required_ : No
-Enables automatic upgrades to new minor versions for brokers, as new broker engine versions are released and supported by Amazon MQ. Automatic upgrades occur during the scheduled maintenance window of the broker or after a manual broker reboot.
+Enables automatic upgrades to new patch versions for brokers as new versions are released and supported by Amazon MQ. Automatic upgrades occur during the scheduled maintenance window or after a manual broker reboot. Set to `true` by default, if no value is specified.
+
+###### Note
+
+Must be set to `true` for ActiveMQ brokers version 5.18 and above and for RabbitMQ brokers version 3.13 and above.
@@ -141 +147 @@ _Required_ : No
-The name of the broker. This value must be unique in your AWS account, 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets, wildcard characters, or special characters.
+Required. The broker's name. This value must be unique in your AWS account, 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets, wildcard characters, or special characters.
@@ -145 +151 @@ The name of the broker. This value must be unique in your AWS account, 1-50 char
-Do not add personally identifiable information (PII) or other confidential or sensitive information in broker names. Broker names are accessible to other AWS services, including CCloudWatch Logs. Broker names are not intended to be used for private or sensitive data. 
+Do not add personally identifiable information (PII) or other confidential or sensitive information in broker names. Broker names are accessible to other AWS services, including CloudWatch Logs. Broker names are not intended to be used for private or sensitive data. 
@@ -158 +164 @@ _Update requires_ : [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/
-A list of information about the configuration. Does not apply to RabbitMQ brokers.
+A list of information about the configuration.
@@ -195,10 +201 @@ _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormat
-The deployment mode of the broker. Available values:
-
-  * `SINGLE_INSTANCE`
-
-  * `ACTIVE_STANDBY_MULTI_AZ`
-
-  * `CLUSTER_MULTI_AZ`
-
-
-
+Required. The broker's deployment mode.
@@ -217 +214 @@ _Required_ : Yes
-Encryption options for the broker. Does not apply to RabbitMQ brokers.
+Encryption options for the broker. 
@@ -228 +225 @@ _Required_ : No
-The type of broker engine. Currently, Amazon MQ supports `ACTIVEMQ` and `RABBITMQ`.
+Required. The type of broker engine. Currently, Amazon MQ supports `ACTIVEMQ` and `RABBITMQ`.
@@ -241 +238 @@ _Required_ : Yes
-The version of the broker engine. For a list of supported engine versions, see [Engine](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html) in the _Amazon MQ Developer Guide_. 
+The broker engine version. Defaults to the latest available version for the specified broker engine type. For more information, see the [ActiveMQ version management](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/activemq-version-management.html) and the [RabbitMQ version management](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-version-management.html) sections in the Amazon MQ Developer Guide.
@@ -252 +249 @@ _Required_ : No
-The broker's instance type.
+Required. The broker's instance type.
@@ -285 +282 @@ _Required_ : No
-The scheduled time period relative to UTC during which Amazon MQ begins to apply pending updates or patches to the broker.
+The parameters that determine the WeeklyStartTime.
@@ -296 +293 @@ _Required_ : No
-Enables connections from applications outside of the VPC that hosts the broker's subnets.
+Enables connections from applications outside of the VPC that hosts the broker's subnets. Set to `false` by default, if no value is provided.
@@ -335 +332 @@ _Required_ : No
-The list of groups that define which subnets and IP ranges the broker can use from different Availability Zones. If you specify more than one subnet, the subnets must be in different Availability Zones. Amazon MQ will not be able to create VPC endpoints for your broker with multiple subnets in the same Availability Zone. A SINGLE_INSTANCE deployment requires one subnet (for example, the default subnet). An ACTIVE_STANDBY_MULTI_AZ deployment (ACTIVEMQ) requires two subnets. A CLUSTER_MULTI_AZ deployment (RABBITMQ) has no subnet requirements when deployed with public accessibility, deployment without public accessibility requires at least one subnet.
+The list of groups that define which subnets and IP ranges the broker can use from different Availability Zones. If you specify more than one subnet, the subnets must be in different Availability Zones. Amazon MQ will not be able to create VPC endpoints for your broker with multiple subnets in the same Availability Zone. A SINGLE_INSTANCE deployment requires one subnet (for example, the default subnet). An ACTIVE_STANDBY_MULTI_AZ Amazon MQ for ActiveMQ deployment requires two subnets. A CLUSTER_MULTI_AZ Amazon MQ for RabbitMQ deployment has no subnet requirements when deployed with public accessibility. Deployment without public accessibility requires at least one subnet.
@@ -339 +336 @@ The list of groups that define which subnets and IP ranges the broker can use fr
-If you specify subnets in a shared VPC for a RabbitMQ broker, the associated VPC to which the specified subnets belong must be owned by your AWS account. Amazon MQ will not be able to create VPC enpoints in VPCs that are not owned by your AWS account. 
+If you specify subnets in a [shared VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html) for a RabbitMQ broker, the associated VPC to which the specified subnets belong must be owned by your AWS account. Amazon MQ will not be able to create VPC endpoints in VPCs that are not owned by your AWS account. 
@@ -350 +347 @@ _Required_ : No
-An array of key-value pairs. For more information, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the _Billing and Cost Management User Guide_. 
+Create tags when creating the broker.
@@ -361 +358,3 @@ _Required_ : No
-The list of broker users (persons or applications) who can access queues and topics. For Amazon MQ for RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent RabbitMQ users are created by via the RabbitMQ web console or by using the RabbitMQ management API. 
+The list of broker users (persons or applications) who can access queues and topics. For Amazon MQ for RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created by making RabbitMQ API calls directly to brokers or via the RabbitMQ web console.
+
+When OAuth 2.0 is enabled, the broker accepts one or no users.
@@ -425,5 +423,0 @@ Property description not available.
-`Id`
-    
-
-Required. The unique ID that Amazon MQ generates for the configuration.
-