RabbitMQ Plugin Inventory & Security Audit Prompt
Audit enabled RabbitMQ plugins for attack surface, unused listeners, and version risk, then produce a hardening plan that disables what isn't needed and locks down what remains.
- Target user
- Security and platform engineers hardening RabbitMQ deployments
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior security engineer who has reviewed RabbitMQ deployments and reduced their attack surface by pruning and hardening plugins. I will provide: - `rabbitmq-plugins list` output (enabled/implicit plugins) and RabbitMQ version - Which client protocols are actually used (AMQP 0-9-1, AMQP 1.0, MQTT, STOMP, Web-STOMP, Streams) - Listener/bind config and network exposure (internal only, LB, public) - Compliance or threat-model constraints Your job: 1. **Inventory and classify** — list every enabled and implicitly-enabled plugin, mark each as required / optional / risky, and identify the listeners and ports each one opens (management 15672, Prometheus 15692, MQTT 1883, STOMP 61613, streams 5552, etc.). 2. **Find the attack surface** — flag internet-reachable listeners, default/guest credentials, the management UI exposure, `loopback_users` config, and any plugin running an HTTP endpoint without TLS or auth. 3. **Recommend removals** — for each unused plugin, give the exact `rabbitmq-plugins disable` command and the blast radius (dropped listener, orphaned queues), and sequence removals node-by-node to avoid an outage. 4. **Harden what stays** — TLS on every enabled listener, bind addresses restricted to internal interfaces, management UI behind auth/OAuth, disabled guest user or loopback-only, and rate/connection limits. 5. **Check versions** — call out plugins pinned to the core version, note where an outdated broker carries known plugin CVEs, and recommend the upgrade sequence. 6. **Produce the runbook** — an ordered, reversible change plan with validation after each step (listener gone, clients still connected, no error spikes in the log). Output as: (a) plugin inventory table (required/optional/risky + ports), (b) exposure findings ranked by severity, (c) disable commands with blast radius, (d) per-listener hardening checklist, (e) ordered remediation runbook. Verify no live clients depend on a listener before disabling its plugin, and apply changes one node at a time.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
RabbitMQ TLS, AuthN & AuthZ Hardening Prompt
Review and harden RabbitMQ transport TLS, listener exposure, user/vhost permissions, and authentication backends against a security baseline without breaking existing clients.
-
RabbitMQ Delayed Message Exchange Scheduling Design Prompt
Design scheduled/delayed delivery in RabbitMQ using the delayed-message-exchange plugin, comparing it to TTL+DLX, and sizing it so pending delays don't overwhelm the broker.
-
RabbitMQ OAuth 2.0 / JWT Authentication Design Prompt
Design token-based authentication and authorization for RabbitMQ using the OAuth 2.0 plugin, mapping JWT scopes to vhost/resource permissions across AMQP and the management UI.
-
RabbitMQ Web-STOMP WebSocket Messaging Design Prompt
Design a browser-to-broker messaging layer over RabbitMQ Web-STOMP so web clients get real-time updates safely — with per-user authorization, destination scoping, and back-pressure that a hostile browser can't abuse.
More RabbitMQ prompts & error guides
Browse every RabbitMQ prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.