Learn about the responsibilities you have when you use IBM® MQ on AWS.
Overview of shared responsibilities
IBM MQ on AWS is a managed service in the shared responsibility
model. Review the following table of who is responsible for particular cloud resources when using
IBM MQ on AWS. Then, you can view more granular tasks for shared
responsibilities in Tasks for shared responsibilities by area.
| Resource |
Incident and operations management |
Change management |
Identity and access management |
Security and regulation compliance |
Disaster recovery |
| Data |
You |
You |
You |
You |
You |
| Applicatons |
You |
You |
You |
You |
You |
| Observability |
Shared |
IBM |
Shared |
IBM |
IBM |
| Queue manager |
Shared |
Shared |
Shared |
Shared |
Shared |
| Certificates |
Shared |
IBM |
IBM |
IBM |
IBM |
| App networking |
IBM |
IBM |
IBM |
IBM |
IBM |
| Cluster networking |
IBM |
IBM |
IBM |
IBM |
IBM |
| Cluster version |
IBM |
IBM |
IBM |
IBM |
IBM |
| Worker nodes |
IBM |
IBM |
IBM |
IBM |
IBM |
| Master |
IBM |
IBM |
IBM |
IBM |
IBM |
| Service |
IBM |
IBM |
IBM |
IBM |
IBM |
| Virtual storage |
IBM |
IBM |
IBM |
IBM |
IBM |
| Virtual network |
IBM |
IBM |
IBM |
IBM |
IBM |
| Hypervisor |
IBM |
IBM |
IBM |
IBM |
IBM |
| Physical servers and memory |
IBM |
IBM |
IBM |
IBM |
IBM |
| Physical storage |
IBM |
IBM |
IBM |
IBM |
IBM |
| Physical network and devices |
IBM |
IBM |
IBM |
IBM |
IBM |
| Facilities and Data Centers |
IBM |
IBM |
IBM |
IBM |
IBM |
Tasks for shared responsibility by area
After reviewing the Overview of shared responsibilities, see what tasks you and IBM share responsibility for
each area and resource when you use IBM MQ on AWS.
- Incident and operations management
- You and IBM share responsibilities for the set up and maintenance of your IBM MQ on AWS
environment. You are responsible for incident and operations management of your application
data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue manager |
- Provide a highly available queue manager deployment
- Configure channels and queues for testing purposes
- Monitoring of queue manager availability
|
- Select the queue manager size based on messaging requirements, see Queue manager sizes - AWS.
- Monitor AWS for planned maintenance
- Configuring and monitoring queue depth to ensure storage requirements do not exceed limits
- Monitoring open connections to ensure they do need exceed limits
- Configure multiple queue managers in different regions to provide additional high availability,
see High availability and disaster recovery
|
| Certificates |
- Provide Let's Encrypt signed certificates
- Refresh provided certificates before expiry
|
- Optionally import user-defined certificate chains
- Ensure that user provided certificates do not expire
- Configure certificate usage on queue manager channels
|
- Change management
- You and IBM share responsibilities for managing queue manager changes in the IBM MQ on AWS
environment. You are responsible for change management of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue manager |
- Automatic upgrade to the latest revision
|
- Managing queue manager configuration
- Optional: manually upgrade queue managers to the latest revision before automatic upgrade
|
- Identity and access management
- You and IBM share responsibilities for controlling access to the IBM MQ on AWS
environment. You are responsible for identity and access management of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue Manager |
- Configure users and applications with the required IAM policies
- Provide API keys for user and applications to authenticate
|
- Define the users and applications that have access to queue managers
- Configure authority records for queue manager specific resources
|
- Security and regulation compliance
- IBM is responsible for the security and compliance of the IBM MQ on AWS
service. You and IBM share responsibilities for the security and compliance of the queue managers.
You are responsible for security and regulation compliance of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue Manager |
- Maintain controls to meet industry compliance standards such as ISO27k
- Provide default queue manager resources that are TLS enabled
- Monitor, isolate, and recover the queue manager
- Automatically apply security patch updates
- Disable certain insecure actions such as channel exits
- Continuously monitor queue manager images to detect vulnerability and security compliance
issue
|
- Configure queue manager security such as TLS and AMS on queue manager resources
- Configure authority records for queue manager resources to limit access to only required users
and applications
|
- Disaster recovery
- You and IBM share responsibilities for the set up and maintenance of your IBM MQ on AWS
environment. You are responsible for disaster recovery of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue Manager |
- Backup queue manager configuration daily
- Recover required infrastructure
- Provision new infrastructure in a backup availability zone, if recovery is not possible
- Redeploy queue managers to new availability zone
- Restore queue manager configuration from previous backup
|
- Reset channel sequence numbers so that channels will successfully communicate
|
- Applications and data
- You are completely responsible for the applications and data that you use with IBM MQ on AWS.
However, IBM provides various tools to help you set up, manage, secure, integrate and optimize your
apps as described in the following table.
| Resource |
How IBM helps |
What you can do |
| Applications |
- Provide default queue manager configuration to allow applications to connect securely
- Provide sample applications such as MQ JMS client
- Generate an API key that is used to access queue managers
- Provide application connection configuration in JSON CCDT format
|
- Maintain responsibility for your apps, data, and their complete lifecycle
- Configure applications for high availability
- Manage open connections to ensure the maximum queue manager limit is not exceeded
|
| Data |
- Provide encrypted persistent storage for persistent messages
- Separation of storage from queue manager runtime allowing queue managers to recover within an
availability zone with no data loss
|
- Maintain responsibility for your data and how your apps consume the data
- Control queue sizes to prevent storage limits being exceeded
- Encrypt message payload in transit and at rest using Advanced Message Security (AMS)
|