AMQP Credentials
Service Name: Advanced Message Queuing Protocol
Service Description: AMQP (Advanced Message Queuing Protocol) is an open standard application layer protocol for message-oriented middleware. It enables applications to communicate by sending messages between them, supporting message orientation, queuing, routing, reliability, and security.
Service Address: Various implementations including RabbitMQ and Apache ActiveMQ
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the broker level through firewall rules or access control mechanisms specific to the AMQP implementation.
Secret Access Scope: Grants access to message queues, exchanges, and the ability to publish and consume messages within an AMQP broker.
Secret Revokement URL: Depends on the specific AMQP implementation. For RabbitMQ: https://www.rabbitmq.com/access-control.html
Secret Example: amqp://username:password@host:port/vhost
Suspicious Activity Investigation Instructions:
- Review connection logs from your AMQP broker for unusual access patterns or unauthorized connections.
- Check for unexpected message publishing or consumption activities.
- Monitor for unusual queue creation, deletion, or binding operations.
- Look for abnormal message throughput or queue depth changes.
- Verify if there are connections from unexpected IP addresses or locations.
Mitigation Instructions:
- Immediately change the compromised credentials in your AMQP broker's management interface.
- Revoke the compromised user's permissions or delete the user entirely.
- Create new credentials with appropriate permissions.
- Update all applications using these credentials with the new connection string.
- Consider implementing IP-based restrictions for AMQP connections.
- Enable TLS for AMQP connections if not already in use.
- Review and tighten permission scopes for AMQP users to follow the Principle of Least Privilege.
- Implement connection rate limiting to prevent brute force attacks.