As part of our ongoing maintenance and improvement of rules and rule bundles, we are updating rules related to AWS CloudTrail log metric filters. This change will offer a shift towards organization-level CloudTrail configurations, enabling enhanced security and manageability for your resources.

Please be aware that the existing rules will be deprecated in the following bundles:

• AWS FTR version 1.0.0
• CIS Benchmark from version 1.1.0 to 1.5.0
• Organization Rules
• S3 Best Practice version 1.0 and version 1.1
• Stax Foundation Compliance version 1.0

The deprecated rules are as follows:

• Ensure a log metric filter and alarm exist for AWS Config configuration changes, 
• Ensure a log metric filter and alarm exist for AWS Management Console authentication failures, 
• Ensure a log metric filter and alarm exist for Management Console sign-in without MFA, 
• Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL), 
• Ensure a log metric filter and alarm exist for changes to network gateways,
• Ensure a log metric filter and alarm exist for CloudTrail configuration changes,
• Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs, 
• Ensure a log metric filter and alarm exist for IAM policy changes, 
• Ensure a log metric filter and alarm exist for route table changes, 
• Ensure a log metric filter and alarm exist for S3 bucket policy changes, 
• Ensure a log metric filter and alarm exist for security group changes, 
• Ensure a log metric filter and alarm exist for unauthorized API calls, 
• Ensure a log metric filter and alarm exist for usage of root user credentials, 
• Ensure a log metric filter and alarm exist for VPC changes

The newly introduced rules will take their place with the following rule names respectively:

• CloudTrail should have a log metric filter for AWS Config changes,
• CloudTrail should have a log metric filter for Console authentication failures,
• CloudTrail should have a log metric filter for Console sign-in without MFA,
• CloudTrail should have a log metric filter for NACL changes,
• CloudTrail should have a log metric filter for Network Gateway changes,
• CloudTrail should have a log metric filter for CloudTrail configuration changes,
• CloudTrail should have a log metric filter for scheduled deletion of customer-created CMKs,
• CloudTrail should have a log metric filter for IAM policy changes,
• CloudTrail should have a log metric filter for route table changes,
• CloudTrail should have a log metric filter for s3 bucket policy changes,
• CloudTrail should have a log metric filter for security group changes,
• CloudTrail should have a log metric filter for unauthorized API calls,
• CloudTrail should have a log metric filter for root user credentials,
• CloudTrail should have a log metric filter for VPC changes

Please note that the check history for the deprecated rules will not be kept.

If you have any questions about this change and what it means for you, please contact support.

Default subscription preferences have changed for new users invited to Stax. After joining Stax, new users will now only be subscribed to the Weekly Summary, Wastage Report and New Rule Releases notification types. Users can then manage their notifications and make changes to their preferences.

As announced on 19th April 2023, the GET /20190206/groups/{group_id} route now returns a 404 HTTP status code if the group_id provided has the status of DELETED or does not exist.

Previously, the archived record would be returned for a deleted group and "Groups": [] would be returned if the group did not exist.

As announced on 6th April 2023, the following changes were made to the GET /20190206/users API route:

1. This route no longer returns API tokens. The GET /20190206/api-tokens route should be used instead
2. This route no longer returns DELETED users by default. The previous behavior was to return all users regardless of their status. To get a list of deleted users, you will need to explicitly request it with the status_filter query string, e.g. /users?status_filter=DELETED
3. The GET /20190206/users/{user_id} route now returns a 404 HTTP status code if the user_id provided has the status of DELETED. Previously, this would return the archived record

The Rule S3 enforces object encryption has been renamed to Ensure all S3 buckets employ server-side encryption-at-rest, in the S3 Best Practices and Organization bundles. This change helps to align the rule name across different bundles making it easier for customers to search for this rule across bundles. 

It's important to note that the name of the rule has not been changed in the CIS Benchmark bundle to align with the standard's specification.

Changes have been applied to Stax-managed AWS Organizational Units in accordance with Release 1 from the published release plan. This was initially announced on 4 April 2023. 

Stax manages AWS Organizations in alignment with established best practices. As a result, Stax-managed AWS Organizations will be uplifted to adhere to the organizational structure recommended in the AWS Security Reference Architecture and the Organizing Your AWS Environment Using Multiple Accounts whitepaper. In addition to this, new functionality will be introduced to allow tenancies to better utilize Organizational Units (OUs) and service control policies (SCPs).

These changes will be released over the next 8 weeks. For a detailed outline of these changes, see the release plan here.

The Stax console now features a redesigned navigation interface. This new interface is designed to bring the most used features of Stax to the front, so you're able to access them easily. 

For a detailed breakdown of the changes, see the docs.