Stax-managed AWS Organizations can now use the AWS Organizations declarative policies feature to centrally declare and enforce desired configuration for a given AWS service at scale across an organization. See the documentation for more details on how Stax assists with this here.
AWS recently announced central management for root user credentials for AWS Organizations. This new security best practice greatly improves security for accounts within AWS Organizations by supporting removal of their root user credentials.
On Monday, 2 December 2024, Stax will enable this functionality for all AWS Organizations utilizing Stax.
For existing accounts within Stax-managed AWS Organizations, you may choose to remove the root user credential yourself by following AWS's guidance. For new AWS accounts created using the Stax Accounts feature, root user credentials will no longer be provisioned.
See Centralized root access for member accounts for more information.
A new Operations role has been added to Stax to grant a level of access to Stax resources suitable for highly privileged users requiring a level of access in excess of User, but without the full functionality of the Admin. This role is accessible for both users and API tokens via the Stax console, API, and SDK.
For more information on the roles available within Stax, see About Identity and Access. To make use of this role when utilising single sign-on, you'll need to update your configuration to support it. Review the single sign-on configuration guidance for your identity provider here.
Using the Stax Console, API, or SDK, you can now update the alternate contact details for Stax-managed AWS accounts. Contact details will be set for all active accounts, and for any AWS accounts you create using Stax in the future. See Update AWS Account Contact Details for more information and to get started.
Stax now configures AI opt-out policies for organizations under management that do not already have a policy in place on the root OU. See AWS AI services opt-out policies to learn more.
You can now enable the Center for Internet Security (CIS) AWS Foundations Benchmark version 3.0 in AWS Security Hub using Stax with the Stax-managed Security Hub using the Stax Console, API, and SDK.
For more information, see Using Stax-managed Security Hub in the docs.
Tagging of Service Control Policies in Stax is now supported in the Stax Console, Stax API, and SDK. Visit Using Service Control Policies in Stax to find out more.
Stax local user accounts' multi-factor authentication (MFA) status is now available on the Users page in the Stax Console. This update simplifies the process of identifying local Stax users with MFA enabled.
To explore this feature, visit the Users page in the Stax Console or refer to our Stax API and SDK documentation.
Please note, this status check is not refreshed immediately and can take up to four hours for the updated information to appear.
The NIST Special Publication 800-53 Revision 5 standard can now be enabled in Stax-managed Security Hub using the Stax Console, Stax API, and SDK.
For more information and to get started, see Using Stax-managed Security Hub.
Stax has enhanced the CloudWatch Log metric filters and alarms configured in Stax-managed AWS Management accounts. This update helps customers aiming to align with the latest CIS AWS Benchmark by including new CloudWatch Log metric filters and alarms for the following CIS AWS Benchmark v1.5.0 controls:
Existing CIS Benchmark v1.2.0 CloudWatch Log metric filters and alarms configured by Stax remain unchanged.