Stax has introduced support for the Center for Internet Security's Amazon Web Services Foundations Benchmark version 1.5.0. This introduces the following changes over the previous iteration, version 1.4.0:

Three new rules were added to the Benchmark:

• 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
• 2.3.3 Ensure that public access is not given to RDS Instance
• 2.4.1 Ensure that encryption is enabled for EFS file systems
• 4.16 Ensure AWS Security Hub is enabled 
• 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports

One rule has been changed:

• 3.8 Ensure rotation for customer created symmetric CMKs is enabled 

The Rule Bundle cannot validate all components of the Benchmark, so the following items must be evaluated manually:

• 1.1: Maintain current contact details
• 1.2: Ensure security contact information is registered
• 1.3: Ensure security questions are registered in the AWS account
• 1.18: Ensure IAM instance roles are used for AWS resource access from instances
• 1.21: Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
• 2.1.4: Ensure all data in Amazon S3 has been discovered, classified and secured when required
• 5.4: Ensure routing tables for VPC peering are "least access"

To enable this new version of the Bundle, see Keep Bundles Up To Date. If you have automatic updates enabled on the CIS Benchmark Bundle, Stax will automatically update you to version 1.5.0.