Security best practices for Amazon MQ - Amazon MQ
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for Amazon MQ

The following design patterns can improve the security of your Amazon MQ broker.

For more information about how Amazon MQ encrypts your data, as well as a list of supported protocols, see Data Protection.

Prefer brokers without public accessibility

Brokers created without public accessibility can't be accessed from outside of your VPC. This greatly reduces your broker's susceptibility to Distributed Denial of Service (DDoS) attacks from the public internet. For more information, see Accessing the broker web console without public accessibility in this guide and How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface on the Amazon Security Blog.

Always configure an authorization map

Because ActiveMQ has no authorization map configured by default, any authenticated user can perform any action on the broker. Thus, it is a best practice to restrict permissions by group. For more information, see authorizationEntry.


If you specify an authorization map which doesn't include the activemq-webconsole group, you can't use the ActiveMQ Web Console because the group isn't authorized to send messages to, or receive messages from, the Amazon MQ broker.

Block unnecessary protocols with VPC security groups

To improve security, you should restrict the connections of unnecessary protocols and ports by properly configuring your Amazon VPC Security Group. For instance, to restrict access to most protocols while allowing access to OpenWire and the web console, you could allow access to only 61617 and 8162. This limits your exposure by blocking protocols you are not using, while allowing OpenWire and the web console to function normally.

Allow only the protocol ports that you are using.

  • AMQP: 5671

  • MQTT: 8883

  • OpenWire: 61617

  • STOMP: 61614

  • WebSocket: 61619

For more information see: