To improve the performance of Stax Workloads deployment and update operations, concurrency capacity for these operations has been increased by 200%.
Organizations utilizing Workloads should now find that bulk Workloads operations complete more quickly.
Version 1.5.0 of stax2aws has been released. See how to upgrade stax2aws.
Changes:
As announced on 17 January 2024, Stax has implemented a change in Stax-managed AWS Config to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region only.
This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions.
Importantly, this change will not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that recording of global resources is only required in one region. For more details, refer to the CIS AWS Benchmark.
Impact of change
- Customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.
- Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides:
On 23 January 2024, Stax will implement a change to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region.
This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions. Additionally, this change may help customers in reducing their AWS Config costs.
Importantly, this change does not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that including global resources related to IAM resources is required in only one region. For more details, refer to the CIS AWS Benchmark.
Impact of change
- After the change, customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.
- Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides:
- AWS Config Rules and Global Resource Types
- Security Hub controls that you might want to disable
A number of Rule names have been updated to improve usability and standardize rule names across all Rule Bundles. To find out more, visit the Stax Compliance module guide.
As part of our ongoing maintenance and improvement of rules and rule bundles, we are updating rules related to AWS CloudTrail log metric filters. This change will offer a shift towards organization-level CloudTrail configurations, enabling enhanced security and manageability for your resources.
Please be aware that the existing rules will be deprecated in the following bundles:
The deprecated rules are as follows:
The newly introduced rules will take their place with the following rule names respectively:
Please note that the check history for the deprecated rules will not be kept.
If you have any questions about this change and what it means for you, please contact support.
Stax has released a new version of the Cost & Compliance module's service and billing roles, version 33. The following permissions have been added to the roles:
If your AWS accounts are Stax-managed, then you don't need to take any action. Stax will automatically update this role in the coming days.
If you're subscribed only to the Stax Cost & Compliance module, you will need to apply the update yourself.
For any questions about this change, or if you need assistance deploying the updated role, please raise a support case.
Stax has released a new version of the Cost & Compliance module's service and billing roles, version 32. The following permissions have been added to the roles:
- backup:GetBackupSelection
- backup:ListBackupPlans
- backup:ListBackupSelections
If your AWS accounts are Stax-managed, then you don't need to take any action. Stax will automatically update this role in the coming days.
If you're subscribed only to the Stax Cost & Compliance module, you will need to apply the update yourself.
For any questions about this change, or if you need assistance deploying the updated role, please raise a support case.
Default subscription preferences have changed for new users invited to Stax. After joining Stax, new users will now only be subscribed to the Weekly Summary, Wastage Report and New Rule Releases notification types. Users can then manage their notifications and make changes to their preferences.
As announced on 19th April 2023, the GET /20190206/groups/{group_id} route now returns a 404 HTTP status code if the group_id provided has the status of DELETED or does not exist.
Previously, the archived record would be returned for a deleted group and "Groups": [] would be returned if the group did not exist.