The NIST Cybersecurity Framework Rule Bundle is now available to all organizations. This Bundle is designed to help customers fortify their AWS environment against cyber threats and strengthen their security posture.

The new bundle currently includes 86 controls and over 16 new rules, with more to be added during the preview phase.

Add the Bundle to your Stax console to get started. Once added, Stax will perform an initial evaluation and populate the Rules page with new results. You can filter the page to show only results from the NIST Cybersecurity Framework bundle if preferred. Alternatively, to add any of the new rules to your Organization Rule Bundle, head to the Rules Catalog page.

As part of our ongoing maintenance and improvement of rules and rule bundles, we are updating rules related to AWS CloudTrail log metric filters. This change will offer a shift towards organization-level CloudTrail configurations, enabling enhanced security and manageability for your resources.

Please be aware that the existing rules will be deprecated in the following bundles:

• AWS FTR version 1.0.0
• CIS Benchmark from version 1.1.0 to 1.5.0
• Organization Rules
• S3 Best Practice version 1.0 and version 1.1
• Stax Foundation Compliance version 1.0

The deprecated rules are as follows:

• Ensure a log metric filter and alarm exist for AWS Config configuration changes, 
• Ensure a log metric filter and alarm exist for AWS Management Console authentication failures, 
• Ensure a log metric filter and alarm exist for Management Console sign-in without MFA, 
• Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL), 
• Ensure a log metric filter and alarm exist for changes to network gateways,
• Ensure a log metric filter and alarm exist for CloudTrail configuration changes,
• Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs, 
• Ensure a log metric filter and alarm exist for IAM policy changes, 
• Ensure a log metric filter and alarm exist for route table changes, 
• Ensure a log metric filter and alarm exist for S3 bucket policy changes, 
• Ensure a log metric filter and alarm exist for security group changes, 
• Ensure a log metric filter and alarm exist for unauthorized API calls, 
• Ensure a log metric filter and alarm exist for usage of root user credentials, 
• Ensure a log metric filter and alarm exist for VPC changes

The newly introduced rules will take their place with the following rule names respectively:

• CloudTrail should have a log metric filter for AWS Config changes,
• CloudTrail should have a log metric filter for Console authentication failures,
• CloudTrail should have a log metric filter for Console sign-in without MFA,
• CloudTrail should have a log metric filter for NACL changes,
• CloudTrail should have a log metric filter for Network Gateway changes,
• CloudTrail should have a log metric filter for CloudTrail configuration changes,
• CloudTrail should have a log metric filter for scheduled deletion of customer-created CMKs,
• CloudTrail should have a log metric filter for IAM policy changes,
• CloudTrail should have a log metric filter for route table changes,
• CloudTrail should have a log metric filter for s3 bucket policy changes,
• CloudTrail should have a log metric filter for security group changes,
• CloudTrail should have a log metric filter for unauthorized API calls,
• CloudTrail should have a log metric filter for root user credentials,
• CloudTrail should have a log metric filter for VPC changes

Please note that the check history for the deprecated rules will not be kept.

If you have any questions about this change and what it means for you, please contact support.

OUs can now be managed from within Stax and SCPs can now be attached to OUs and individual accounts. For more information, see the documentation. 

As part of the upcoming release to Manage AWS Organizational Units and Service Control Policies in Stax the following changes will be made to the Policies API Policy method's schema implementation. For a detailed outline of these changes, see the release plan here.

• Removed: Attachableto is no longer defined in the schema
• Removed: Mandatory is no longer defined in the schema
• Removed: Public is no longer defined in the schema
• Renamed: Policy is now defined as Content in the schema
• Changed: Status values are now; ACTIVE, CREATE_FAILED, CREATE_IN_PROGRESS, DELETED, DELETE_FAILED, DELETE_IN_PROGRESS, UPDATE_IN_PROGRESS. Previous values; ACTIVE, DELETED, FAILED
• Added: AwsId is now defined in the schema
• Added: ExternalResource is now defined in the schema
• Added: OrganisationAttachment is now defined in the schema
• Added: PolicyOwner is now defined in the schema
• Added: PolicyType is now defined in the schema
• Added: Tags is now defined in the schema
• Added: UserTaskId is now defined in the schema

The API documentation for the new Policies schema can be found here, with the release of this feature the Policyv2 schema will be renamed to replace Policy.

If you have questions or concerns regarding the changes, please reach out by raising a support case.

The 0.1.0 release of the Stax Terraform provider marks the completion of support for the initial set of Stax resources.

Guidance for common tasks using the Terraform provider is available on the Terraform Registry:

1. Getting Started with Permission Sets

For more information and to get started, see About the Stax Terraform Provider.

The latest v0.0.7 release of the Stax Terraform provider (Developer preview) now supports managing Users and Group Membership using Terraform. Customers can create Users, associate them with a group and then use this group with a permission set to grant access to AWS accounts, all from Terraform.

For more information and to get started, see About the Stax Terraform Provider.

A new Rule "S3 block public bucket account setting should be enabled" has been introduced to the S3 Best Practice Version 1.1 and PCI DSS Rule Bundles.

The rule checks whether the block public access setting is enabled at the account level.

To add this rule to your Organization Rule Bundle, head to the Rules Catalog page.