Amazon Web Services
Amazon MQ is a fully managed message broker service offered by Amazon Web Services (AWS). It allows you to easily set up and operate message brokers in the cloud, without having to worry about the underlying infrastructure. Amazon MQ supports popular messaging protocols such as Advanced Message Queuing Protocol (AMQP), Message Queueing Telemetry Transport (MQTT), and Java Message Service (JMS), making it easy to integrate with a wide variety of applications and services. With Amazon MQ, you can create and manage message brokers in minutes, and scale them up or down as needed to meet your application's messaging needs. You can also monitor and troubleshoot your message brokers using Amazon CloudWatch, and integrate them with other AWS services such as Amazon SNS, Amazon SQS, and AWS Lambda.
Terraform Name

The following arguments are required:

  • broker_name - (Required) Name of the broker.
  • engine_type - (Required) Type of broker engine. Valid values are ActiveMQ and RabbitMQ.
  • engine_version - (Required) Version of the broker engine. See the AmazonMQ Broker Engine docs for supported versions. For example, 5.15.0.
  • host_instance_type - (Required) Broker's instance type. For example, mq.t3.micro, mq.m5.large.
  • user - (Required) Configuration block for broker users. For engine_type of RabbitMQ, Amazon MQ does not return broker users preventing this resource from making user updates and drift detection. Detailed below.

The following arguments are optional:

  • apply_immediately - (Optional) Specifies whether any broker modifications are applied immediately, or during the next maintenance window. Default is false.
  • authentication_strategy - (Optional) Authentication strategy used to secure the broker. Valid values are simple and ldap. ldap is not supported for engine_type RabbitMQ.
  • auto_minor_version_upgrade - (Optional) Whether to automatically upgrade to new minor versions of brokers as Amazon MQ makes releases available.
  • configuration - (Optional) Configuration block for broker configuration. Applies to engine_type of ActiveMQ only. Detailed below.
  • deployment_mode - (Optional) Deployment mode of the broker. Valid values are SINGLE_INSTANCE, ACTIVE_STANDBY_MULTI_AZ, and CLUSTER_MULTI_AZ. Default is SINGLE_INSTANCE.
  • encryption_options - (Optional) Configuration block containing encryption options. Detailed below.
  • ldap_server_metadata - (Optional) Configuration block for the LDAP server used to authenticate and authorize connections to the broker. Not supported for engine_type RabbitMQ. Detailed below. (Currently, AWS may not process changes to LDAP server metadata.)
  • logs - (Optional) Configuration block for the logging configuration of the broker. Detailed below.
  • maintenance_window_start_time - (Optional) Configuration block for the maintenance window start time. Detailed below.
  • publicly_accessible - (Optional) Whether to enable connections from applications outside of the VPC that hosts the broker's subnets.
  • security_groups - (Optional) List of security group IDs assigned to the broker.
  • storage_type - (Optional) Storage type of the broker. For engine_type ActiveMQ, the valid values are efs and ebs, and the AWS-default is efs. For engine_type RabbitMQ, only ebs is supported. When using ebs, only the mq.m5 broker instance type family is supported.
  • subnet_ids - (Optional) List of subnet IDs in which to launch the broker. A SINGLE_INSTANCE deployment requires one subnet. An ACTIVE_STANDBY_MULTI_AZ deployment requires multiple subnets.
  • tags - (Optional) Map of tags to assign to the broker. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.


The following arguments are optional:

  • id - (Optional) The Configuration ID.
  • revision - (Optional) Revision of the Configuration.


The following arguments are optional:

  • kms_key_id - (Optional) Amazon Resource Name (ARN) of Key Management Service (KMS) Customer Master Key (CMK) to use for encryption at rest. Requires setting use_aws_owned_key to false. To perform drift detection when AWS-managed CMKs or customer-managed CMKs are in use, this value must be configured.
  • use_aws_owned_key - (Optional) Whether to enable an AWS-owned KMS CMK that is not in your account. Defaults to true. Setting to false without configuring kms_key_id will create an AWS-managed CMK aliased to aws/mq in your account.


The following arguments are optional:

  • hosts - (Optional) List of a fully qualified domain name of the LDAP server and an optional failover server.
  • role_base - (Optional) Fully qualified name of the directory to search for a user’s groups.
  • role_name - (Optional) Specifies the LDAP attribute that identifies the group name attribute in the object returned from the group membership query.
  • role_search_matching - (Optional) Search criteria for groups.
  • role_search_subtree - (Optional) Whether the directory search scope is the entire sub-tree.
  • service_account_password - (Optional) Service account password.
  • service_account_username - (Optional) Service account username.
  • user_base - (Optional) Fully qualified name of the directory where you want to search for users.
  • user_role_name - (Optional) Specifies the name of the LDAP attribute for the user group membership.
  • user_search_matching - (Optional) Search criteria for users.
  • user_search_subtree - (Optional) Whether the directory search scope is the entire sub-tree.


The following arguments are optional:

  • audit - (Optional) Enables audit logging. Auditing is only possible for engine_type of ActiveMQ. User management action made using JMX or the ActiveMQ Web Console is logged. Defaults to false.
  • general - (Optional) Enables general logging via CloudWatch. Defaults to false.


The following arguments are required:

  • day_of_week - (Required) Day of the week, e.g., MONDAY, TUESDAY, or WEDNESDAY.
  • time_of_day - (Required) Time, in 24-hour format, e.g., 02:00.
  • time_zone - (Required) Time zone in either the Country/City format or the UTC offset format, e.g., CET.


  • console_access - (Optional) Whether to enable access to the ActiveMQ Web Console for the user. Applies to engine_type of ActiveMQ only.
  • groups - (Optional) List of groups (20 maximum) to which the ActiveMQ user belongs. Applies to engine_type of ActiveMQ only.
  • password - (Required) Password of the user. It must be 12 to 250 characters long, at least 4 unique characters, and must not contain commas.
  • username - (Required) Username of the user.

Associating resources with a
Resources do not "belong" to a
Rather, one or more Security Groups are associated to a resource.
via Terraform:
The following HCL provides an Amazon MQ broker resource

resource "aws_mq_broker" "example" {
 broker_name = "example"

 configuration {
   id       =
   revision = aws_mq_configuration.test.latest_revision

 engine_type        = "ActiveMQ"
 engine_version     = "5.15.9"
 host_instance_type = "mq.t2.micro"
 security_groups    = []

 user {
   username = "ExampleUser"
   password = "MindTheGap"

via CLI:

[--authentication-strategy <value>]
--auto-minor-version-upgrade | --no-auto-minor-version-upgrade
--broker-name <value>
[--configuration <value>]
[--creator-request-id <value>]
--deployment-mode <value>
[--encryption-options <value>]
--engine-type <value>
--engine-version <value>
--host-instance-type <value>
[--ldap-server-metadata <value>]
[--logs <value>]
[--maintenance-window-start-time <value>]
--publicly-accessible | --no-publicly-accessible
[--security-groups <value>]
[--storage-type <value>]
[--subnet-ids <value>]
[--tags <value>]
--users <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]


aws mq create-broker --broker-name my-broker --broker-engine-type ActiveMQ --engine-version 5.15.0 --deployment-mode SINGLE_INSTANCE --host-instance-type mq.t2.micro --security-groups sg-12345678901234567 --subnet-id subnet-12345678901234567

aws cost
The cost of using Amazon MQ depends on several factors, such as the type and size of message brokers you create, the amount of data transferred, and the number of API requests you make. Here are some of the key cost factors to consider: Broker Instance Cost: You are charged an hourly rate based on the instance type and the deployment mode you choose for your message broker. For example, at the time of writing this, a mq.t2.micro instance in single instance deployment mode costs $0.15 per hour in the US East (N. Virginia) region. Data Transfer Cost: You are charged for data transfer in and out of your Amazon MQ instances, as well as data transfer between Availability Zones if you choose the Active/Standby Multi-AZ deployment mode. The data transfer cost depends on the amount of data transferred and the AWS region where your instances are deployed. API Request Cost: You are charged for the number of API requests you make to create and manage your Amazon MQ resources. The cost is based on the number of requests per month and the AWS region where your instances are deployed. You can find more information about Amazon MQ pricing, including pricing examples and calculators, on the AWS website. Additionally, you can estimate your costs using the AWS Pricing Calculator.
Direct Cost





Indirect Cost
No items found.
Best Practices for

Categorized by Availability, Security & Compliance and Cost

Access allowed from VPN
No items found.
Auto Scaling Group not in use
No items found.
Connections towards DynamoDB should be via VPC endpoints
No items found.
Container in CrashLoopBackOff state
No items found.
EC2 with GPU capabilities
No items found.
EC2 with high privileged policies
No items found.
ECS cluster delete alarm
No items found.
ECS task with Admin access (*:*)
ECS task with high privileged policies
No items found.
EKS cluster delete alarm
No items found.
ElastiCache cluster delete alarm
No items found.
Ensure Container liveness probe is configured
No items found.
Ensure ECS task definition has memory limit
No items found.
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services