Logging Amazon MQ API calls using Amazon CloudTrail
Amazon MQ is integrated with Amazon CloudTrail, a service that provides a record of the Amazon MQ calls that a user, role, or Amazon service makes. CloudTrail captures API calls related to Amazon MQ brokers and configurations as events, including calls from the Amazon MQ console and code calls from Amazon MQ APIs. For more information about CloudTrail, see the Amazon CloudTrail User Guide.
Note
CloudTrail doesn't log API calls related to ActiveMQ operations (for example, sending and receiving messages) or to the ActiveMQ Web Console. To log information related to ActiveMQ operations, you can configure Amazon MQ to publish general and audit logs to Amazon CloudWatch Logs.
Using the information that CloudTrail collects, you can identify a specific request to an Amazon MQ API, the IP address of the requester, the requester's identity, the date and time of the request, and so on. If you configure a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket. If you don't configure a trail, you can view the most recent events in the event history in the CloudTrail console. For more information, see Overview for Creating a Trail in the Amazon CloudTrail User Guide.
Amazon MQ Information in CloudTrail
When you create your Amazon account, CloudTrail is enabled. When a supported Amazon MQ event activity occurs, it is recorded in a CloudTrail event with other Amazon service events in the event history. You can view, search, and download recent events for your Amazon account. For more information, see Viewing Events with CloudTrail Event History in the Amazon CloudTrail User Guide.
A trail allows CloudTrail to deliver log files to an Amazon S3 bucket. You can create a trail to keep an ongoing record of events in your Amazon account. By default, when you create a trail using the Amazon Web Services Management Console, the trail applies to all Amazon Regions. The trail logs events from all Amazon Regions and delivers log files to the specified Amazon S3 bucket. You can also configure other Amazon services to further analyze and act on the event data collected in CloudTrail logs. For more information, see the following topics in the Amazon CloudTrail User Guide:
Amazon MQ supports logging both the request parameters and the responses for the following APIs as events in CloudTrail log files:
Note
RebootBroker log files are logged when you reboot the broker. During the maintenance window, the service automatically reboots, and RebootBroker log files are not logged.
Important
For the GET methods of the following APIs, the request parameters
are logged, but the responses are redacted:
For the following APIs, the data and password
request parameters are hidden by asterisks (***):
-
CreateBroker(POST) -
CreateUser(POST) -
UpdateConfiguration(PUT) -
UpdateUser(PUT)
Every event or log entry contains information about the requester. This information helps you determine the following:
-
Was the request made with root or user credentials?
-
Was the request made with temporary security credentials for a role or a federated user?
-
Was the request made by another Amazon service?
For more information, see CloudTrail userIdentity Element in the Amazon CloudTrail User Guide.
Example Amazon MQ Log File Entry
A trail is a configuration that allows the delivery of events as log files to the specified Amazon S3 bucket. CloudTrail log files contain one or more log entries.
An event represents a single request from any source and includes information about the request to an Amazon MQ API, the IP address of the requester, the requester's identity, the date and time of the request, and so on.
The following example shows a CloudTrail log entry for a CreateBroker API call.
Note
Because CloudTrail log files aren't an ordered stack trace of public APIs, they don't list information in any specific order.
{ "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn": "arn:aws:iam::111122223333:user/AmazonMqConsole", "accountId": "111122223333", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "AmazonMqConsole" }, "eventTime": "2018-06-28T22:23:46Z", "eventSource": "amazonmq.amazonaws.com", "eventName": "CreateBroker", "awsRegion": "us-west-2", "sourceIPAddress": "203.0.113.0", "userAgent": "PostmanRuntime/7.1.5", "requestParameters": { "engineVersion": "5.15.9", "deploymentMode": "ACTIVE_STANDBY_MULTI_AZ", "maintenanceWindowStartTime": { "dayOfWeek": "THURSDAY", "timeOfDay": "22:45", "timeZone": "America/Los_Angeles" }, "engineType": "ActiveMQ", "hostInstanceType": "mq.m5.large", "users": [ { "username": "MyUsername123", "password": "***", "consoleAccess": true, "groups": [ "admins", "support" ] }, { "username": "MyUsername456", "password": "***", "groups": [ "admins" ] } ], "creatorRequestId": "1", "publiclyAccessible": true, "securityGroups": [ "sg-a1b234cd" ], "brokerName": "MyBroker", "autoMinorVersionUpgrade": false, "subnetIds": [ "subnet-12a3b45c", "subnet-67d8e90f" ] }, "responseElements": { "brokerId": "b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9", "brokerArn": "arn:aws-cn:mq:us-east-2:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9" }, "requestID": "a1b2c345-6d78-90e1-f2g3-4hi56jk7l890", "eventID": "a12bcd3e-fg45-67h8-ij90-12k34d5l16mn", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }