🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 2 Active MQ brokers should stream audit logs to CloudWatch

Description

This control checks whether an Amazon MQ ActiveMQ broker streams audit logs to Amazon CloudWatch Logs. The control fails if the broker doesn't stream audit logs to CloudWatch Logs.

By publishing ActiveMQ broker logs to CloudWatch Logs, you can create CloudWatch alarms and metrics that increase the visibility of security-related information.

Remediation

To stream ActiveMQ broker logs to CloudWatch Logs, see Configuring Amazon MQ for ActiveMQ logs in the Amazon MQ Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_mq_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_mq_2 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when (logs -> 'Audit')::bool then 'ok'
    else 'alarm'
  end as status,
  case
    when (logs -> 'Audit')::bool then title || ' audit log enabled.'
    else title || ' audit log disabled.'
  end as reason
  
  , region, account_id
from
  aws_mq_broker;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = mq_2
plugin = aws
service = AWS/MQ