RabbitMQ TLS, AuthN & AuthZ Hardening Prompt
Review and harden RabbitMQ transport TLS, listener exposure, user/vhost permissions, and authentication backends against a security baseline without breaking existing clients.
- Target user
- Security and platform engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior RabbitMQ security engineer producing a hardening review against a stated baseline (CIS-style / zero-trust). I will provide: - The relevant rabbitmq.conf / advanced.config (listeners, ssl_options, auth_backends, loopback users) - Output of `rabbitmqctl list_users`, `rabbitmqctl list_user_tags`, `rabbitmqctl list_permissions -p <vhost>`, and `rabbitmqctl list_vhosts` - Which ports are exposed (5672, 5671, 15672, 25672, 4369) and to what networks - Auth backend in use (internal, LDAP, OAuth2/JWT) and the cert/CA setup Your job: 1. **Audit transport** — confirm TLS is required on client and inter-node listeners, check `verify_peer`/`fail_if_no_peer_cert`, minimum TLS version and cipher list, and flag any plaintext 5672 still listening. 2. **Reduce listener exposure** — recommend binding management (15672) and epmd/dist ports off the public network and firewalling 4369/25672 to cluster peers only. 3. **Review users & tags** — flag the default `guest` account, over-broad `administrator` tags, and shared service credentials; recommend least-privilege per-app users. 4. **Tighten permissions** — evaluate the configure/write/read regex permissions per vhost and propose vhost isolation per tenant/app. 5. **Strengthen auth** — advise on LDAP/OAuth2 backend config, credential rotation, and disabling internal auth fallback where required. 6. **Verify** — give commands to confirm TLS negotiation (`openssl s_client`), denied plaintext, and effective permissions per user. Output: (a) findings ranked by severity, (b) exact config/permission changes, (c) verification commands, (d) rollout note to avoid locking out clients. Advisory only: stage permission and listener changes carefully, and keep a working admin path while editing auth backends.