Stax Changelog logo

Changelog

Back to Homepage Subscribe to Updates

Labels

  • All Posts
  • Fix
  • changed
  • added
  • deprecated
  • removed
  • security
  • notice

Jump to Month

  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
changeddeprecatednotice
a month ago

Introducing Updated Compliance Rules for AWS CloudTrail Log Metric Filters

As part of our ongoing maintenance and improvement of rules and rule bundles, we are updating rules related to AWS CloudTrail log metric filters. This change will offer a shift towards organization-level CloudTrail configurations, enabling enhanced security and manageability for your resources.

Please be aware that the existing rules will be deprecated in the following bundles:

  • AWS FTR version 1.0.0
  • CIS Benchmark from version 1.1.0 to 1.5.0
  • Organization Rules
  • S3 Best Practice version 1.0 and version 1.1
  • Stax Foundation Compliance version 1.0

The deprecated rules are as follows:

  • Ensure a log metric filter and alarm exist for AWS Config configuration changes, 
  • Ensure a log metric filter and alarm exist for AWS Management Console authentication failures, 
  • Ensure a log metric filter and alarm exist for Management Console sign-in without MFA, 
  • Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL), 
  • Ensure a log metric filter and alarm exist for changes to network gateways,
  • Ensure a log metric filter and alarm exist for CloudTrail configuration changes,
  • Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs, 
  • Ensure a log metric filter and alarm exist for IAM policy changes, 
  • Ensure a log metric filter and alarm exist for route table changes, 
  • Ensure a log metric filter and alarm exist for S3 bucket policy changes, 
  • Ensure a log metric filter and alarm exist for security group changes, 
  • Ensure a log metric filter and alarm exist for unauthorized API calls, 
  • Ensure a log metric filter and alarm exist for usage of root user credentials, 
  • Ensure a log metric filter and alarm exist for VPC changes

The newly introduced rules will take their place with the following rule names respectively:

  • CloudTrail should have a log metric filter for AWS Config changes,
  • CloudTrail should have a log metric filter for Console authentication failures,
  • CloudTrail should have a log metric filter for Console sign-in without MFA,
  • CloudTrail should have a log metric filter for NACL changes,
  • CloudTrail should have a log metric filter for Network Gateway changes,
  • CloudTrail should have a log metric filter for CloudTrail configuration changes,
  • CloudTrail should have a log metric filter for scheduled deletion of customer-created CMKs,
  • CloudTrail should have a log metric filter for IAM policy changes,
  • CloudTrail should have a log metric filter for route table changes,
  • CloudTrail should have a log metric filter for s3 bucket policy changes,
  • CloudTrail should have a log metric filter for security group changes,
  • CloudTrail should have a log metric filter for unauthorized API calls,
  • CloudTrail should have a log metric filter for root user credentials,
  • CloudTrail should have a log metric filter for VPC changes

Please note that the check history for the deprecated rules will not be kept.

If you have any questions about this change and what it means for you, please contact support.

changed
2 months ago

Revised Cost & Compliance Role Permissions

Stax has released a new version of the Cost & Compliance module's service and billing roles, version 33. The following permissions have been added to the roles:

  • backup:Describe*
  • backup:Get*
  • backup:List*
  • cloudtrail:List*
  • waf-regional:Get*
  • waf-regional:List*

If your AWS accounts are Stax-managed, then you don't need to take any action. Stax will automatically update this role in the coming days.

If you're subscribed only to the Stax Cost & Compliance module, you will need to apply the update yourself.

For any questions about this change, or if you need assistance deploying the updated role, please raise a support case.

changed
2 months ago

Revised Cost & Compliance Role Permissions

Stax has released a new version of the Cost & Compliance module's service and billing roles, version 32. The following permissions have been added to the roles:

- backup:GetBackupSelection

- backup:ListBackupPlans

- backup:ListBackupSelections

If your AWS accounts are Stax-managed, then you don't need to take any action. Stax will automatically update this role in the coming days.

If you're subscribed only to the Stax Cost & Compliance module, you will need to apply the update yourself.

For any questions about this change, or if you need assistance deploying the updated role, please raise a support case.

changed
4 months ago

Changes to Default User Notifications

Default subscription preferences have changed for new users invited to Stax. After joining Stax, new users will now only be subscribed to the Weekly Summary, Wastage Report and New Rule Releases notification types. Users can then manage their notifications and make changes to their preferences.


changed
4 months ago

Changes to GET/20190206/groups API

As announced on 19th April 2023, the GET /20190206/groups/{group_id} route now returns a 404 HTTP status code if the group_id provided has the status of DELETED or does not exist.

Previously, the archived record would be returned for a deleted group and "Groups": [] would be returned if the group did not exist.

changed
4 months ago

Changes to GET/20190206/users API

As announced on 6th April 2023, the following changes were made to the GET /20190206/users API route:

  1. This route no longer returns API tokens. The GET /20190206/api-tokens route should be used instead
  2. This route no longer returns DELETED users by default. The previous behavior was to return all users regardless of their status. To get a list of deleted users, you will need to explicitly request it with the status_filter query string, e.g. /users?status_filter=DELETED
  3. The GET /20190206/users/{user_id} route now returns a 404 HTTP status code if the user_id provided has the status of DELETED. Previously, this would return the archived record
changed
4 months ago

Update to Rule - S3 enforces object encryption

The Rule S3 enforces object encryption has been renamed to Ensure all S3 buckets employ server-side encryption-at-rest, in the S3 Best Practices and Organization bundles. This change helps to align the rule name across different bundles making it easier for customers to search for this rule across bundles. 

It's important to note that the name of the rule has not been changed in the CIS Benchmark bundle to align with the standard's specification.

                                                                                 

    


changed
5 months ago

Changes to Stax-managed AWS Organizational Units

Changes have been applied to Stax-managed AWS Organizational Units in accordance with Release 1 from the published release plan. This was initially announced on 4 April 2023. 

changed
5 months ago

AWS Organizational uplift and native OU management within Stax

Stax manages AWS Organizations in alignment with established best practices. As a result, Stax-managed AWS Organizations will be uplifted to adhere to the organizational structure recommended in the AWS Security Reference Architecture and the Organizing Your AWS Environment Using Multiple Accounts whitepaper. In addition to this, new functionality will be introduced to allow tenancies to better utilize Organizational Units (OUs) and service control policies (SCPs).

These changes will be released over the next 8 weeks. For a detailed outline of these changes, see the release plan here.

changed
6 months ago

Stax Console Navigation Upgrade

The Stax console now features a redesigned navigation interface. This new interface is designed to bring the most used features of Stax to the front, so you're able to access them easily. 

For a detailed breakdown of the changes, see the docs.