Version 1.5.2 of stax2aws has been released. See the Stax documentation for instructions on how to upgrade stax2aws.

Changes:

• updated dependencies and security patches
• internal tooling improvements

To improve the performance of Stax Workloads deployment and update operations, concurrency capacity for these operations has been increased by 200%. 

Organizations utilizing Workloads should now find that bulk Workloads operations complete more quickly.

As announced on 17 January 2024, Stax has implemented a change in Stax-managed AWS Config to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region only.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions. 

Importantly, this change will not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that recording of global resources is only required in one region. For more details, refer to the CIS AWS Benchmark.

Impact of change

- Customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.

- Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides:

- AWS Config Rules and Global Resource Types

- Security Hub controls that you might want to disable

On 23 January 2024, Stax will implement a change to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions. Additionally, this change may help customers in reducing their AWS Config costs.

Importantly, this change does not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that including global resources related to IAM resources is required in only one region. For more details, refer to the CIS AWS Benchmark.

Impact of change
- After the change, customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.
- Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides:
- AWS Config Rules and Global Resource Types
- Security Hub controls that you might want to disable

A number of Rule names have been updated to improve usability and standardize rule names across all Rule Bundles. To find out more, visit the Stax Compliance module guide.

As part of our ongoing maintenance and improvement of rules and rule bundles, we are updating rules related to AWS CloudTrail log metric filters. This change will offer a shift towards organization-level CloudTrail configurations, enabling enhanced security and manageability for your resources.

Please be aware that the existing rules will be deprecated in the following bundles:

• AWS FTR version 1.0.0
• CIS Benchmark from version 1.1.0 to 1.5.0
• Organization Rules
• S3 Best Practice version 1.0 and version 1.1
• Stax Foundation Compliance version 1.0

The deprecated rules are as follows:

• Ensure a log metric filter and alarm exist for AWS Config configuration changes, 
• Ensure a log metric filter and alarm exist for AWS Management Console authentication failures, 
• Ensure a log metric filter and alarm exist for Management Console sign-in without MFA, 
• Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL), 
• Ensure a log metric filter and alarm exist for changes to network gateways,
• Ensure a log metric filter and alarm exist for CloudTrail configuration changes,
• Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs, 
• Ensure a log metric filter and alarm exist for IAM policy changes, 
• Ensure a log metric filter and alarm exist for route table changes, 
• Ensure a log metric filter and alarm exist for S3 bucket policy changes, 
• Ensure a log metric filter and alarm exist for security group changes, 
• Ensure a log metric filter and alarm exist for unauthorized API calls, 
• Ensure a log metric filter and alarm exist for usage of root user credentials, 
• Ensure a log metric filter and alarm exist for VPC changes

The newly introduced rules will take their place with the following rule names respectively:

• CloudTrail should have a log metric filter for AWS Config changes,
• CloudTrail should have a log metric filter for Console authentication failures,
• CloudTrail should have a log metric filter for Console sign-in without MFA,
• CloudTrail should have a log metric filter for NACL changes,
• CloudTrail should have a log metric filter for Network Gateway changes,
• CloudTrail should have a log metric filter for CloudTrail configuration changes,
• CloudTrail should have a log metric filter for scheduled deletion of customer-created CMKs,
• CloudTrail should have a log metric filter for IAM policy changes,
• CloudTrail should have a log metric filter for route table changes,
• CloudTrail should have a log metric filter for s3 bucket policy changes,
• CloudTrail should have a log metric filter for security group changes,
• CloudTrail should have a log metric filter for unauthorized API calls,
• CloudTrail should have a log metric filter for root user credentials,
• CloudTrail should have a log metric filter for VPC changes

Please note that the check history for the deprecated rules will not be kept.

If you have any questions about this change and what it means for you, please contact support.

Default subscription preferences have changed for new users invited to Stax. After joining Stax, new users will now only be subscribed to the Weekly Summary, Wastage Report and New Rule Releases notification types. Users can then manage their notifications and make changes to their preferences.