AWS Security ChangesHomeSearch

AWS amazon-mq documentation change

Service: amazon-mq · 2026-01-10 · Documentation low

File: amazon-mq/latest/developer-guide/security-broker-auth-ref.md

Summary

Added section explaining SSL certificate authentication using mTLS and X.509 client certificates.

Security assessment

Documents a new authentication method (certificate-based) which improves security posture, but doesn't reference any patched vulnerability.

Diff

diff --git a/amazon-mq/latest/developer-guide/security-broker-auth-ref.md b/amazon-mq/latest/developer-guide/security-broker-auth-ref.md
index df9e6fd59..cef0d64f2 100644
--- a//amazon-mq/latest/developer-guide/security-broker-auth-ref.md
+++ b//amazon-mq/latest/developer-guide/security-broker-auth-ref.md
@@ -42,0 +43,4 @@ In this method, broker users and their permissions are managed by an external HT
+### SSL certificate authentication
+
+Amazon MQ supports mutual TLS (mTLS) for RabbitMQ brokers. The SSL authentication plugin uses client certificates from mTLS connections to authenticate users. In this method, broker users are authenticated using X.509 client certificates instead of username and password credentials. The client's certificate is validated against a trusted Certificate Authority (CA), and the username is extracted from a field in the certificate, such as the Common Name (CN) or Subject Alternative Name (SAN). This method provides strong authentication without transmitting credentials over the network. For more information, see [SSL certificate authentication](./ssl-for-amq-for-rabbitmq.html).
+