As per the announcement last week, the "Lambdas must have unique roles" check has been deprecated and removed from the rules catalog.
This rule is only part of the Stax rule catalog, and is not used as part of any compliance or best practice rule bundles.
As announced on 12 May 2023, Stax now provides advanced configuration options for Amazon GuardDuty protection plans and settings.
See Using Stax-managed GuardDuty for details on using Stax-managed GuardDuty.
The rule “Lambdas have a unique role” will be deprecated in a rules update in 7 days. This rule has been a part of the Stax compliance module for many years, and after careful consideration, we have decided that it no longer serves its intended purpose.
This rule was originally intended to ensure that AWS Lambdas — cloud computing functions — had a unique role within the environment. As cloud computing and serverless functions have evolved, we have determined that this rule does not provide additional security and is no longer necessary.
This rule is only part of the Stax rule catalog, and is not used as part of any compliance or best practice rule bundles.
The Australian Cyber Security Centre (ACSC)'s Essential Eight Rule Bundle is now available in private preview. This Bundle is designed to help organizations protect against cyber security threats. Read more here.
As announced on 09 May 2023, a change has been released for the listed Rules that check if object-level logging is enabled for S3 buckets.
This Rule will now detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.
| Bundle Name | Rule Name |
| Organization Bundle/catalog | Ensure that Object-level logging for write events is enabled for S3 bucket Ensure that Object-level logging for read events is enabled for S3 bucket |
| CIS Benchmark v1.3.0, v1.4.0 & v1.5.0 | CIS 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket CIS 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket |
By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.
When setting budgets that leverage your Views, you can now sort the budget table by segment name and download the budget data to CSV. Find out more here.
As part of Stax Assurance, Amazon GuardDuty is configured for Stax-managed AWS Organizations. In an upcoming release of Stax, advanced configuration of GuardDuty will be possible via the Stax Console and API.
There are several considerations for organizations with GuardDuty configuration in place beyond what Stax configures as part of Stax Assurance. Read Configure Amazon GuardDuty within Stax for more information. Contact your Customer Success Manager if you have any questions regarding this upcoming release.
Default subscription preferences have changed for new users invited to Stax. After joining Stax, new users will now only be subscribed to the Weekly Summary, Wastage Report and New Rule Releases notification types. Users can then manage their notifications and make changes to their preferences.
As announced on 3 May 2023, a fix has been released to remediate an issue impacting several Rules that verify if RDS instances are publicly accessible.
Before the change, the Rules incorrectly marked RDS databases as public if the RDS instances were in a VPC subnet with a default route CIDR block of 0.0.0.0/0. This check was invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.
The Rule will now pass if the RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target. This change may have impacted the compliance score of the listed rules.
| Bundle | Rule Name |
| CIS Benchmark Version 1.5.0 | CIS 2.3.3 - Ensure that public access is not given to RDS Instances |
| Organization Rules/Rule Catalog | RDS instances in a subnet should not have internet access |
| APRA Version 1.0 | RDS instances should not exist in public subnets This rule has been renamed to: RDS instances in a subnet should not have internet access |
| RDS Best Practice Version 1.0 | RDS instances in a subnet should not have internet access |
On 15 May 2023, a change will be released for the listed Rules that check if object-level logging is enabled for S3 buckets.
Currently, S3 buckets in Stax-managed member accounts will fail the check even when the required CloudTrail S3 data event logging is enabled, because Stax follows AWS best practices and configures CloudTrail at the Organization-level, not within every individual member account.
After the change, this Rule will detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.
| Bundle Name | Rule Name |
| Organization Bundle/catalog | Ensure that Object-level logging for write events is enabled for S3 bucket Ensure that Object-level logging for read events is enabled for S3 bucket |
| CIS Benchmark v1.3.0, v1.4.0 & v1.5.0 | CIS 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket CIS 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket |
By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.