How does the API authentication work

API authentication and authorization for Amazon MQ

Amazon MQ uses the standard AWS request signature for API authentication. For more information, see Signing AWS Requests in theGeneral AWS referenceout.

Currently, Amazon MQ does not support IAM authentication using resource-based permissions or resource-based policies.

To authorize AWS users to work with brokers, configurations, and users, you must edit the IAM policy permissions.

IAM permissions required to create an Amazon MQ broker

To create a broker, you must either use the or add the following EC2 permissions to your IAM policy.

The following custom policy consists of two statements (one conditional) that grant permissions to modify the resources that Amazon MQ needs to create an ActiveMQ broker.

  • The action is required for Amazon MQ to create an Elastic Network Interface (ENI) for you in your account.

  • This authorizes Amazon MQ to attach the ENI to an ActiveMQ broker.

  • The condition key ensures that ENI permissions are only granted to Amazon MQ service accounts.

For more information, see Create an IAM User and Get Your AWS Credentials and Never Modify or Delete the Amazon MQ Elastic Network Interface.

Amazon MQ API Permissions Reference

The following table lists Amazon MQ REST APIs and their corresponding IAM permissions.

Resource-level permissions to Amazon MQ API actions

The termResource-level permissionsThe ability to specify the resources that users are allowed to take action on. Amazon MQ partially supports resource-level permissions. With certain Amazon MQ Actions, you can control when users can use those Actions. This is based on conditions that must be met or on certain resources that are allowed to be used by the users.

The following table lists the Amazon MQ API actions that currently support resource-level permissions and the supported resources, resource ARNs, and condition keys for each action.

If an Amazon MQ API Action is not listed in this table, it does not support resource-level permissions. If an Amazon MQ API action does not support resource-level permissions, you can give users permission to use that action, but you must include an asterisk (*) wildcard for the resource item in the policy statement.