Em

Eclipse Mosquitto MQTT Broker - Secured

AWS Application Stacks

Overview

Launch a secure MQTT broker in minutes. Eclipse Mosquitto with per-instance credentials auto-generated on first boot - no default passwords, no manual hardening. Backed by 24/7 cloudimg support.

Description

This is a repackaged open source software product wherein additional charges apply for cloudimg support services.

## Overview

Eclipse Mosquitto is the open source message broker that implements the MQTT protocol - the de facto standard for lightweight publish/subscribe messaging on the Internet of Things. It is small, fast, and battle tested, and is the broker recommended by the OASIS MQTT technical committee. Eclipse Mosquitto has been downloaded millions of times and powers IoT deployments worldwide across industries including industrial automation, smart buildings, and fleet management.

This AMI delivers Eclipse Mosquitto fully installed and configured so a working, authenticated MQTT broker is running within minutes of launch. The current stable line is provided.

## What Is Included

Eclipse Mosquitto, installed from the official Mosquitto PPA, running as a single node broker. The mosquitto-clients package provides the mosquitto_pub and mosquitto_sub command line tools for publishing and subscribing from the instance itself or remote machines. The broker is the only workload on the image, so the platform stays lean and predictable.

## Authentication Enabled By Default

The image ships with password authentication switched on. The Mosquitto configuration sets allow_anonymous to false and points at a password file, so anonymous MQTT connections are rejected from the moment the broker starts. There is no public or default broker access. This eliminates the risk of exposed default credentials - a common attack vector in IoT deployments.

## Secure First Boot

On the first boot of your instance a one-shot service generates a fresh, strong password for the cloudimg MQTT user, unique to that instance, applies it to the broker with mosquitto_passwd, and writes it to a file that only the root user can read. No shared or default MQTT credentials ship in the image. Each instance receives its own cryptographically random credentials.

## Security and Hardening

  • Authentication: Password-based access control enforced from first boot
  • TLS encryption in transit: Add a TLS listener on port 8883 with your own certificate following the user guide
  • Minimal attack surface: Only the MQTT broker runs on the image; unnecessary packages are removed
  • Network isolation: Deploy in a VPC private subnet and restrict Security Group ingress to ports 1883/8883 from trusted CIDR ranges only
  • File permissions: Generated credentials stored with root-only read access (chmod 600)

## AWS Integrations

This broker integrates with your AWS environment:

  • AWS IoT Core: Bridge messages between your local Mosquitto broker and AWS IoT Core for hybrid cloud/edge architectures
  • Amazon CloudWatch: Forward broker metrics and logs to CloudWatch for centralized monitoring and alerting
  • Amazon Kinesis: Stream MQTT messages into Kinesis Data Streams for real-time analytics pipelines
  • VPC and Security Groups: Deploy within your VPC with fine-grained network controls

The broker also works with popular open source platforms such as Node-RED for visual flow programming and Home Assistant for smart home automation.

## Use Case: Industrial IoT Telemetry Pipeline

A manufacturing facility with thousands of sensors reporting temperature, vibration, and pressure readings every 30 seconds publishes telemetry to the Mosquitto broker over MQTT. The broker fans out messages to subscribers including a time-series database for historical analysis and an alerting service for threshold breaches. The lightweight protocol keeps bandwidth low even over constrained factory networks.

## Ready To Use

1. Launch the AMI from AWS Marketplace in your chosen VPC and subnet

2. Ensure your Security Group allows inbound TCP on port 1883 (and 8883 if using TLS)

3. SSH into the instance using your key pair

4. Read the generated password: sudo cat /root/mqtt_password.txt

5. Test immediately: mosquitto_pub -h localhost -u cloudimg -P YOUR_PASSWORD -t test -m hello

6. Subscribe from another terminal: mosquitto_sub -h localhost -u cloudimg -P YOUR_PASSWORD -t test

The broker listens for MQTT on port 1883 by default; the user guide explains how to add a TLS listener on 8883 with your own certificate.

## cloudimg Support

24/7 technical support by email and chat. Help with MQTT broker deployment, authentication and access control, TLS configuration, bridging multiple brokers, AWS IoT Core integration, and broker tuning.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Key Features

  • Eclipse Mosquitto preinstalled and ready, running as a single node MQTT broker with the mosquitto_pub and mosquitto_sub command line tools, with no manual setup required
  • Password authentication is enabled by default and a fresh MQTT password is generated for every instance on first boot and stored in a file only the root user can read
  • 24/7 technical support from cloudimg, with expert assistance for MQTT broker deployment, authentication and access control, TLS configuration and broker tuning

Related Technologies

mqtt mosquitto iot message broker pubsub publish subscribe eclipse mosquitto

Deploy on AWS

Launch this preconfigured AMI on AWS with 24/7 support from cloudimg.

Read the deployment guide

24/7 Support Included

Email: support@cloudimg.co.uk

Phone: (+44) 0333 006 4730

Product Details

Category
Application Stacks
Support
24/7, 365 days/year
Platform
AWS (Amazon Web Services)
Last Updated
2026-06-25