prowler-cloud · HugoPBrito · Dec 4, 2025 · Nov 18, 2025 · Nov 18, 2025 · Dec 4, 2025
@@ -14,6 +14,9 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### Changed
 - Update AWS GuardDuty service metadata to new format [(#9259)](https://github.com/prowler-cloud/prowler/pull/9259)
+- Update AWS MQ service metadata to new format [(#9267)](https://github.com/prowler-cloud/prowler/pull/9267)
+- Update AWS Macie service metadata to new format [(#9265)](https://github.com/prowler-cloud/prowler/pull/9265)
+- Update AWS Lightsail service metadata to new format [(#9264)](https://github.com/prowler-cloud/prowler/pull/9264)
 
 ---
 

@@ -1,32 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_active_deployment_mode",
-  "CheckTitle": "Apache ActiveMQ brokers should be configured in active/standby mode.",
+  "CheckTitle": "Apache ActiveMQ broker is configured in active/standby Multi-AZ deployment mode",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Ensure Amazon MQ Apache ActiveMQ brokers are configured in active/standby mode for high availability and fault tolerance.",
-  "Risk": "Apache ActiveMQ brokers not configured in active/standby mode lack high availability, increasing the risk of downtime and data loss during failures.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-basic-elements.html",
+  "Description": "**ActiveMQ broker deployment mode** is configured as **active/standby** (`ACTIVE_STANDBY_MULTI_AZ`), indicating a redundant pair operating across Availability Zones",
+  "Risk": "Without **active/standby**, a single-instance broker becomes a **single point of failure**, degrading **availability** and risking **message loss or duplication** during outages or maintenance. This can stall message flows, grow backlogs, and cause inconsistent processing across dependent services.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/deployment-mode.html",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-basic-elements.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-5",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-broker-architecture.html#active-standby-broker-deployment"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws mq create-broker --broker-name <broker-name> --engine-type ActiveMQ --deployment-mode ACTIVE_STANDBY_MULTI_AZ",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-5",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/deployment-mode.html"
+      "CLI": "",
+      "NativeIaC": "```yaml\n# CloudFormation: Create an ActiveMQ broker in active/standby Multi-AZ\nResources:\n  <example_resource_name>:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: <example_resource_name>\n      EngineType: ACTIVEMQ\n      EngineVersion: <example_resource_name>\n      HostInstanceType: mq.t3.micro\n      PubliclyAccessible: false\n      DeploymentMode: ACTIVE_STANDBY_MULTI_AZ  # Critical: sets active/standby Multi-AZ to pass the check\n      SubnetIds:\n        - <example_resource_id>\n        - <example_resource_id>  # Critical: two subnets in different AZs required for active/standby\n      SecurityGroups:\n        - <example_resource_id>\n      Users:\n        - Username: <example_resource_name>\n          Password: <example_resource_id>\n```",
+      "Other": "1. In the AWS Console, go to Amazon MQ > Brokers > Create broker\n2. Select Engine: ActiveMQ\n3. Set Deployment mode to Active/standby broker (Multi-AZ)\n4. Choose two subnets in different AZs and a security group\n5. Enter a broker name, instance type, and create a user (username/password)\n6. Create the broker, update clients to use the new endpoints, then delete the old single-instance broker",
+      "Terraform": "```hcl\n# Create an ActiveMQ broker in active/standby Multi-AZ\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n  broker_name         = \"<example_resource_name>\"\n  engine_type         = \"ActiveMQ\"\n  engine_version      = \"<example_resource_name>\"\n  host_instance_type  = \"mq.t3.micro\"\n  publicly_accessible = false\n  deployment_mode     = \"ACTIVE_STANDBY_MULTI_AZ\"  # Critical: enables active/standby Multi-AZ to pass the check\n\n  subnet_ids      = [\"<example_resource_id>\", \"<example_resource_id>\"]  # Critical: two subnets in different AZs\n  security_groups = [\"<example_resource_id>\"]\n\n  user {\n    username = \"<example_resource_name>\"\n    password = \"<example_resource_id>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure Amazon MQ Apache ActiveMQ brokers use active/standby deployment mode for high availability and fault tolerance.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/amazon-mq-broker-architecture.html#active-standby-broker-deployment"
+      "Text": "Adopt **active/standby deployment** for ActiveMQ brokers to provide multi-AZ resilience.\n\nDesign clients for **failover** with retries and idempotent processing, validate recovery through regular **failover testing**, monitor broker health, and apply **least privilege** to limit blast radius.",
+      "Url": "https://hub.prowler.com/check/mq_broker_active_deployment_mode"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,31 +1,40 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_auto_minor_version_upgrades",
-  "CheckTitle": "MQ Broker Auto Minor Version Upgrades should be enabled.",
+  "CheckTitle": "Amazon MQ broker has automated minor version upgrades enabled",
   "CheckType": [
+    "Software and Configuration Checks/Patch Management",
     "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Ensure that automatic minor version upgrades are enabled on Amazon MQ brokers.",
-  "Risk": "Amazon MQ brokers without automatic minor version upgrades may miss critical updates, leaving them vulnerable to security risks, bugs, and performance issues.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades",
+  "Description": "**Amazon MQ brokers** have `autoMinorVersionUpgrade` enabled to automatically apply supported minor and patch engine updates during the scheduled maintenance window.",
+  "Risk": "Without automatic minor upgrades, brokers may run **known-vulnerable engine versions**, enabling exploits that impact:\n- **Confidentiality**: message disclosure\n- **Integrity**: tampering or replay\n- **Availability**: crashes/DoS and instability\n\nDelayed patches also increase operational risk and drift.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/auto-minor-version-upgrade.html",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-3",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws mq update-broker --broker-id <broker-id> --auto-minor-version-upgrade",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/general-policies/ensure-aws-mqbrokers-minor-version-updates-are-enabled/",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-3",
-      "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/MQ/auto-minor-version-upgrade.html"
+      "CLI": "aws mq update-broker --broker-id <example_resource_id> --auto-minor-version-upgrade",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable automatic minor version upgrades on an MQ broker\nResources:\n  <example_resource_name>:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: <example_resource_name>\n      AutoMinorVersionUpgrade: true  # Critical: enables automatic minor version upgrades\n      DeploymentMode: SINGLE_INSTANCE\n      EngineType: ACTIVEMQ\n      EngineVersion: <ENGINE_VERSION>\n      HostInstanceType: mq.t3.micro\n      PubliclyAccessible: true\n      Users:\n        - Username: <USERNAME>\n          Password: <PASSWORD>\n```",
+      "Other": "1. Open the Amazon MQ console\n2. Go to Brokers and select the target broker\n3. Click Edit\n4. Under Maintenance, check Enable automatic minor version upgrades\n5. Click Save",
+      "Terraform": "```hcl\n# Terraform: Enable automatic minor version upgrades on an MQ broker\nresource \"aws_mq_broker\" \"<example_resource_name>\" {\n  broker_name                = \"<example_resource_name>\"\n  engine_type                = \"ActiveMQ\"\n  engine_version             = \"<ENGINE_VERSION>\"\n  host_instance_type         = \"mq.t3.micro\"\n  publicly_accessible        = true\n  auto_minor_version_upgrade = true  # Critical: enables automatic minor version upgrades\n\n  user {\n    username = \"<USERNAME>\"\n    password = \"<PASSWORD>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that automatic minor version upgrades are enabled on Amazon MQ brokers to receive the latest security patches and improvements automatically.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html"
+      "Text": "Enable `autoMinorVersionUpgrade` on all brokers to reduce patch latency.\n\n- Align upgrades with a defined maintenance window\n- Validate changes in staging before production\n- Monitor broker health and logs after updates\n- Maintain HA and tested backups for rollback (*defense in depth*)",
+      "Url": "https://hub.prowler.com/check/mq_broker_auto_minor_version_upgrades"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

@@ -1,32 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "mq_broker_cluster_deployment_mode",
-  "CheckTitle": "MQ RabbitMQ Brokers should use cluster deployment mode.",
+  "CheckTitle": "MQ RabbitMQ broker has cluster (multi-AZ) deployment mode",
   "CheckType": [
-    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls",
+    "Effects/Denial of Service"
   ],
   "ServiceName": "mq",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:mq:region:account-id:broker:broker-id",
-  "Severity": "low",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
   "ResourceType": "AwsAmazonMQBroker",
-  "Description": "Ensure that RabbitMQ Brokers use cluster deployment mode.",
-  "Risk": "Using a single-instance RabbitMQ broker limits fault tolerance and high availability. Without cluster deployment, broker failures could lead to significant downtime and potential data loss.",
-  "RelatedUrl": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-basic-elements.html",
+  "Description": "**Amazon MQ RabbitMQ brokers** are assessed for **cluster deployment mode** (`CLUSTER_MULTI_AZ`) with nodes spread across multiple AZs and shared state.\n\nBrokers configured otherwise are identified.",
+  "Risk": "Without **clustered RabbitMQ**, the broker is a **single point of failure**. An instance or AZ outage can halt queues, cause message loss or duplication, and break ordering, reducing **availability** and **integrity** of workloads that depend on the broker.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-basic-elements.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-6",
+    "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture.html#rabbitmq-broker-architecture-cluster",
+    "https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/TemplateReference/aws-resource-amazonmq-broker.html",
+    "https://docs.aws.amazon.com/controltower/latest/controlreference/mq-rules.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws mq create-broker --broker-name <your-broker-name> --engine-type RabbitMQ --deployment-mode CLUSTER_MULTI_AZ",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/mq-controls.html#mq-6",
-      "Terraform": ""
+      "CLI": "aws mq create-broker --broker-name <example_resource_name> --engine-type RABBITMQ --deployment-mode CLUSTER_MULTI_AZ --host-instance-type mq.m5.large --publicly-accessible --auto-minor-version-upgrade --users '[{\"Username\":\"<example_username>\",\"Password\":\"<example_password>\"}]'",
+      "NativeIaC": "```yaml\n# CloudFormation: create a RabbitMQ broker in cluster (Multi-AZ) mode\nResources:\n  ExampleBroker:\n    Type: AWS::AmazonMQ::Broker\n    Properties:\n      BrokerName: \"<example_resource_name>\"\n      EngineType: RABBITMQ            # Critical: ensures the broker is RabbitMQ\n      DeploymentMode: CLUSTER_MULTI_AZ # Critical: sets cluster (Multi-AZ) to pass the check\n      HostInstanceType: mq.m5.large\n      PubliclyAccessible: true\n      Users:\n        - Username: \"<example_username>\"\n          Password: \"<example_password>\"\n```",
+      "Other": "1. Open the AWS Console and go to Amazon MQ\n2. Click Brokers > Create broker\n3. Select RabbitMQ as the engine\n4. Set Deployment mode to Cluster (Multi-AZ)\n5. Enter a broker name, choose an instance type, set Public access as needed, and create one admin user\n6. Click Create broker\n7. Migrate applications to the new broker endpoint, then delete the old single-instance broker\n\nNote: Deployment mode cannot be changed on an existing broker; you must create a new cluster broker.",
+      "Terraform": "```hcl\n# Terraform: create a RabbitMQ broker in cluster (Multi-AZ) mode\nresource \"aws_mq_broker\" \"example\" {\n  broker_name         = \"<example_resource_name>\"\n  engine_type         = \"RabbitMQ\"         # Critical: RabbitMQ engine\n  deployment_mode     = \"CLUSTER_MULTI_AZ\" # Critical: cluster (Multi-AZ) to pass the check\n  host_instance_type  = \"mq.m5.large\"\n  publicly_accessible = true\n\n  user {\n    username = \"<example_username>\"\n    password = \"<example_password>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure RabbitMQ brokers are deployed in cluster mode to enhance resilience and prevent data loss during failures.",
-      "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture.html#rabbitmq-broker-architecture-cluster"
+      "Text": "Use **cluster deployment** (`CLUSTER_MULTI_AZ`) for RabbitMQ to remove single-instance risk.\n\nApply **resiliency by design**: clients auto-reconnect, retries with backoff, and idempotent processing; test failover, size for node loss, and enforce **least privilege** with monitoring for defense in depth.",
+      "Url": "https://hub.prowler.com/check/mq_broker_cluster_deployment_mode"
     }
   },
   "Categories": [
-    "redundancy"
+    "resilience"
   ],
   "DependsOn": [],
   "RelatedTo": [],