API authentication and authorization for Amazon MQ
Amazon MQ uses standard Amazon request signing for API authentication. For more information, see Signing Amazon API Requests in the Amazon Web Services General Reference.
Note
Currently, Amazon MQ doesn't support IAM authentication using resource-based permissions or resource-based policies.
To authorize Amazon users to work with brokers, configurations, and users, you must edit your IAM policy permissions.
Topics
IAM Permissions Required to Create an Amazon MQ Broker
To create a broker, you must either use the AmazonMQFullAccess
IAM
policy or include the following EC2 permissions in your IAM policy.
The following custom policy is comprised of two statements (one conditional) which grant permissions to manipulate the resources which Amazon MQ requires to create an ActiveMQ broker.
Important
-
The
ec2:CreateNetworkInterface
action is required to allow Amazon MQ to create an elastic network interface (ENI) in your account on your behalf. -
The
ec2:CreateNetworkInterfacePermission
action authorizes Amazon MQ to attach the ENI to an ActiveMQ broker. -
The
ec2:AuthorizedService
condition key ensures that ENI permissions can be granted only to Amazon MQ service accounts.
{ "Version": "2012-10-17", "Statement": [{ "Action": [ "mq:*", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DescribeInternetGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Effect": "Allow", "Resource": "*" },{ "Action": [ "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfacePermissions" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:AuthorizedService": "mq.amazonaws.com" } } }] }
For more information, see Step 2: create a user and get your Amazon credentials and Never Modify or Delete the Amazon MQ Elastic Network Interface.
Amazon MQ REST API permissions reference
The following table lists Amazon MQ REST APIs and the corresponding IAM permissions.
Amazon MQ REST APIs | Required Permissions |
---|---|
CreateBroker |
mq:CreateBroker |
CreateConfiguration |
mq:CreateConfiguration |
CreateTags |
mq:CreateTags |
CreateUser |
mq:CreateUser |
DeleteBroker |
mq:DeleteBroker |
DeleteUser |
mq:DeleteUser |
DescribeBroker |
mq:DescribeBroker |
DescribeConfiguration |
mq:DescribeConfiguration |
DescribeConfigurationRevision |
mq:DescribeConfigurationRevision |
DescribeUser |
mq:DescribeUser |
ListBrokers |
mq:ListBrokers |
ListConfigurationRevisions |
mq:ListConfigurationRevisions |
ListConfigurations |
mq:ListConfigurations |
ListTags |
mq:ListTags |
ListUsers |
mq:ListUsers |
RebootBroker |
mq:RebootBroker
|
UpdateBroker |
mq:UpdateBroker |
UpdateConfiguration |
mq:UpdateConfiguration |
UpdateUser |
mq:UpdateUser |
Resource-level permissions for Amazon MQ API actions
The term resource-level permissions refers to the ability to specify the resources on which users are allowed to perform actions. Amazon MQ has partial support for resource-level permissions. For certain Amazon MQ actions, you can control when users are allowed to use those actions based on conditions that have to be fulfilled, or specific resources that users are allowed to use.
The following table describes the Amazon MQ API actions that currently support resource-level permissions, as well as the supported resources, resource ARNs, and condition keys for each action.
Important
If an Amazon MQ API action is not listed in this table, then it does not support resource-level permissions. If an Amazon MQ API action does not support resource-level permissions, you can grant users permission to use the action, but you have to specify a * wildcard for the resource element of your policy statement.