Stax Changelog logo

Changelog

Back to Homepage Subscribe to Updates

Labels

  • All Posts
  • Fix
  • changed
  • added
  • deprecated
  • removed
  • security

Jump to Month

  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
changed
a year ago08/27/2020

IDAM reliability, security and performance updates

As part of our ongoing commitment to security and reliability, we've made some changes to your IDAM service with release 9.0.3-8-1272a06:

  • IDAM now runs in a high availability configuration giving you single-AZ (Availability Zone) redundancy
  • Some changes to the network configuration of IDAM have been made to better meet our recommended best practice approach
  • Some changes have been made to the IDAM log storage bucket to enforce encryption in line with best practice

These changes have been applied automatically by Stax during our advertised maintenance period.

changed
a year ago08/25/2020

Rotation enabled for Stax-managed Customer Master Keys

As per item 2.8 of the CIS AWS Foundations Benchmark, all Customer Master Keys (CMKs) created by the Stax platform in customer AWS accounts now have automatic yearly rotation enabled.

This change does not impact CMKs created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

This change applies to the following CMKs in your AWS accounts:

  • spotlight-etl-sns
  • stax-alarm-sns-key

More info

Below is an excerpt from the CIS AWS Foundations Benchmark document that provides some more context around this recommendation:

2.8 Ensure rotation for customer created CMKs is enabled

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK keyrotation be enabled.

added
a year ago08/21/2020

Targeted Rule Alerts

Stax's Cost & Compliance Real-Time Rule Alerts functionality now supports filtering to allow you to receive targeted notifications for compliance events.

You can use this feature for scenarios where certain recipients should receive specific notifications to their use case:

  • Receive only high-severity Rule notifications to a shared inbox for processing
  • Receive alerts only when the S3 Buckets should not be Publicly Open Rule is broken
changedremoved
a year ago08/20/2020

S3 best practices applied for legacy S3 buckets

As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have enforced encryption of data in transit using HTTPS (TLS).

This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

This change applies to the following legacy S3 buckets in your AWS Accounts:

  • juma-cloudtrail-*
  • juma-cloudtrail-master-accesslogbucket-*
  • juma-cloudtrail-master-jumaaccesslogbucket-*
  • juma-jumatrail-*
  • juma-config-*
  • juma-session-manager-*

The following legacy S3 buckets will be removed in your AWS Accounts:

  • stax-billing-*
  • stax-billing-accesslogs-*
  • juma-billing-*

Please note: The legacy S3 buckets that are removed contain only outdated billing information. These buckets have not been in use since February 2020 and as such no impact is expected by this removal. The best way to access your billing information is with Stax's Cost & Compliance module.

added
a year ago08/20/2020

Edit Transit VPC's Gateway Endpoints

As part of Stax Networks, Gateway VPC Endpoints attached to your Transit VPC can now be modified from your Transit VPC's details drawer.

For more information, see Edit Your Transit VPC within the Manage Networking Hubs documentation.

changedremoved
a year ago08/17/2020

Encryption of Stax-managed SNS topics

As per AWS best practices, all SNS topics created by the Stax platform in customer AWS Accounts have encryption enabled using KMS. One unused SNS Topic has been removed from accounts.

  • Changed: Encrypted stax-assurance-cis-benchmark-EventIngestTopic topic in all accounts
  • Changed: Encrypted staxtrail-<org-id> topic in logging account
  • Changed: Encrypted cloudtrail-<org-id> topic in logging account
  • Changed: Encrypted stax-assurance-event-processor-EventIngestTopic topic in security account
  • Removed: stax-config-<org-id> topic in logging account, as it was not used

If you have your own sources publishing messages to these topics, you will need to configure the source with the right permissions to be able to continue publishing to the topic. For more information on this,see publishing to encrypted topics.

changed
a year ago08/17/2020

Enforced encryption of data in transit for Stax-created S3 buckets

As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have enforced encryption of data in transit using HTTPS (TLS).

This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

This change applies to the following S3 buckets in your AWS Accounts:

  • stax-cloudtrail-<org-id>
  • stax-cloudtrail-accesslogs-<org-id>
  • stax-staxtrail-<org-id>
  • stax-staxtrail-accesslogs-<org-id>
  • stax-config-<org-id>
  • stax-config-accesslogs-<org-id>
  • stax-billing-<org-id>
  • stax-billing-accesslogs-<org-id>
  • stax-session-manager-<org-id>
  • stax-idam-waflogs-<account-id>
Fix
a year ago08/12/2020

Update Workloads API Schema Implementation

A bug has been resolved with the Workloads API's Update Workload method's schema implementation.

The Update Workload schema has been adjusted to remove the CatalogueVersionId as a mandatory property. It also adds CatalogueId and Parameters to the schema documentation to reflect the implementation.

  • Changed: CatalogueVersionId is now optional
  • Added: CatalogueId is now defined in the schema
  • Added: Parameters are now defined in the schema
added
a year ago08/10/2020

Stax Foundation Compliance Rule Bundle

Stax has released the Stax Foundation Compliance Rule Bundle which assesses the compliance of your AWS accounts against enterprise-grade security controls. The Rule Bundle is a collection of AWS Well-Architected, CIS AWS Foundations Benchmark and Stax best-practice security controls, which will help you to track the safety and security of your accounts.

Head to the Stax Foundation Compliance Rule Bundle on the Rules page within the Stax Console to check it out.

changed
a year ago08/07/2020

Improvements to attaching and Detaching Stax Policies to Account Types

Stax has made it easier to attach and detach Stax Policies to/from your Stax Account Types using the Stax API.

Changed Error Code when validating Account Type or Policy

If you attempt to attach a Policy to an Account Type and the Account Type or Policy does not already exist, the API will return a 404 (Not Found) response, instead of a generic 400 (Bad Request) response.

Added validation for attaching and detaching policies

When you attach or detact a Policy to/from an Account Type, the Stax API will now verify if the Policy is already attached or detached. An error will be returned if this occurs.

Added validation for Stax Policies limits

Only four Stax Policies can be attached to any specific Account Type. If you attempt to attach Policies that would exceed this limit, the API will now validate that and reject the request.