steampipe plugin install awssteampipe plugin install aws

Table: aws_mq_broker - Query AWS MQ Brokers using SQL

Amazon MQ is a managed message broker service provided by AWS (Amazon Web Services). It supports popular messaging protocols such as MQTT, AMQP, and STOMP, making it compatible with a variety of applications. Amazon MQ simplifies the setup, deployment, and maintenance of message brokers, allowing you to focus on developing your applications.

Table Usage Guide

The aws_mq_broker table in Steampipe provides you with information about MQ brokers within AWS. This table allows you, as a DevOps engineer, to query broker specific details, including the boker ARN, creation time, and associated metadata. You can utilize this table to gather insights on nrokers, such as the number of broker nodes, the version and type of the engine used, the state of the broker, and more. The schema outlines the various attributes of the MQ broker for you, including the encryption info, authentication strategy, and associated tags.

Examples

Basic Info

Explore the status and details of your AWS MQ broker to understand their configuration and operational state.

select
  arn,
  broker_name,
  broker_state,
  deployment_mode,
  created,
  host_instance_type,
  engine_type,
  engine_version tags
from
  aws_mq_broker;

select
  arn,
  broker_name,
  broker_state,
  deployment_mode,
  created,
  host_instance_type,
  engine_type,
  engine_version tags
from
  aws_mq_broker;

List brokers that are in rebooting state

Identify certain brokers within AWS MQ service that are in reboot state. This could be useful for system administrators who need to manage resources.

select
  arn,
  broker_name,
  broker_state,
  created data_replication_mode,
  authentication_strategy
from
  aws_mq_broker
where
  broker_state = 'REBOOT_IN_PROGRESS';

select
  arn,
  broker_name,
  broker_state,
  created data_replication_mode,
  authentication_strategy
from
  aws_mq_broker
where
  broker_state = 'REBOOT_IN_PROGRESS';

List brokers that allow public access

Determine the areas in which public access is allowed for broker. This is useful for identifying potential security risks and ensuring that access to sensitive data is appropriately restricted.

select
  arn,
  broker_name,
  broker_state,
  created
from
  aws_mq_broker
where
  publicly_accessible;

select
  arn,
  broker_name,
  broker_state,
  created
from
  aws_mq_broker
where
  publicly_accessible;

List brokers that encrypted with customer managed key

Identify the specific domains or components within the system where data is secured through encryption using keys managed by the customer.

select
  arn,
  broker_name,
  encryption_options ->> 'UseAwsOwnedKey' as use_aws_owned_key,
  created
from
  aws_mq_broker
where
  encryption_options ->> 'UseAwsOwnedKey' = 'false';

select
  arn,
  broker_name,
  json_extract(
    encryption_options,
    '$.EncryptionInfo.EncryptionAtRest'
  ) as use_aws_owned_key,
  created
from
  aws_mq_broker
where
  json_extract(encryption_options, '$.UseAwsOwnedKey') = 'false';

Get maintenance window details of brokers

During the Maintenance Window, the broker instances might be briefly unavailable or experience reduced capacity as updates are applied. This scheduled approach helps minimize the impact on your applications and users, as these activities are carried out during a designated time frame, allowing for predictability and coordination.

select
  arn,
  broker_name,
  maintenance_window_start_time -> 'DayOfWeek' as day_of_week,
  maintenance_window_start_time -> 'TimeOfDay' as time_of_day,
  maintenance_window_start_time -> 'TimeZone' as time_zone
from
  aws_mq_broker;

select
  arn,
  broker_name,
  json_extract(maintenance_window_start_time, '$.DayOfWeek') as day_of_week,
  json_extract(maintenance_window_start_time, '$.TimeOfDay') as time_of_day,
  json_extract(maintenance_window_start_time, '$.TimeZone') as time_zone
from
  aws_mq_broker;

Control examples

All Controls > MQ > MQ brokers should restrict public access

Schema for aws_mq_broker

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
actions_required	jsonb		Actions required for a broker.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Amazon Resource Name (ARN) of the broker.
authentication_strategy	text		The authentication strategy used to secure the broker. The default is SIMPLE.
auto_minor_version_upgrade	boolean		Enables automatic upgrades to new minor versions for brokers, as new versions are released and supported by Amazon MQ.
broker_id	text	=	The unique ID that Amazon MQ generates for the broker.
broker_instances	jsonb		A list of information about allocated brokers.
broker_name	text		The broker's name.
broker_state	text		The broker's status.
configurations	jsonb		The list of all revisions for the specified configuration.
created	timestamp with time zone		The time when the broker was created.
data_replication_metadata	jsonb		The replication details of the data replication-enabled broker. Only returned if dataReplicationMode is set to CRDR.
data_replication_mode	text		Describes whether this broker is a part of a data replication pair.
deployment_mode	text		The broker's deployment mode.
encryption_options	jsonb		Encryption options for the broker.
engine_type	text		The type of broker engine. Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.
engine_version	text		The broker engine's version.
host_instance_type	text		The broker's instance type.
ldap_server_metadata	jsonb		The metadata of the LDAP server used to authenticate and authorize connections to the broker.
logs	jsonb		The list of information about logs currently enabled and pending to be deployed for the specified broker.
maintenance_window_start_time	jsonb		The parameters that determine the WeeklyStartTime.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
pending_authentication_strategy	text		The authentication strategy that will be applied when the broker is rebooted. The default is SIMPLE.
pending_data_replication_metadata	jsonb		The pending replication details of the data replication-enabled broker. Only returned if pendingDataReplicationMode is set to CRDR.
pending_data_replication_mode	text		Describes whether this broker will be a part of a data replication pair after reboot.
pending_engine_version	text		The broker engine version to upgrade to.
pending_host_instance_type	text		The broker's host instance type to upgrade to.
pending_ldap_server_metadata	jsonb		The metadata of the LDAP server that will be used to authenticate and authorize connections to the broker after it is rebooted.
pending_security_groups	jsonb		The list of pending security groups to authorize connections to brokers.
publicly_accessible	boolean		Enables connections from applications outside of the VPC that hosts the broker's subnets.
region	text		The AWS Region in which the resource is located.
security_groups	jsonb		The list of rules (1 minimum, 125 maximum) that authorize connections to brokers.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
storage_type	text		The broker's storage type.
subnet_ids	jsonb		The list of groups that define which subnets and IP ranges the broker can use from different Availability Zones.
tags	jsonb		A list of tags attached to the broker.
title	text		Title of the resource.
users	jsonb		The list of all broker usernames for the specified broker.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_mq_broker