Using the Stax Console, API, or SDK, you can now update the AWS Account name of Stax-managed AWS accounts. A new field will display the AWS Account name for a Stax-managed AWS account when viewing, onboarding or updating a Stax-managed account.

When a new Stax-managed AWS account is provisioned, Stax will name this AWS Account the same as the provided Stax name. When a new Stax-managed AWS account is onboarded through discovery the additional AWS Account name field allows you to rename the AWS Account at the same time as it becomes Stax-managed.

See Edit a Stax-Managed AWS Account for more information and to get started.

Stax-managed AWS Organizations can now disable regions via the Stax console, providing protections against access to regions that are not used by your Stax-managed AWS Organization.

As part of this feature, all Stax-managed AWS Organizations will also see the following changes to their Service Control Policies:

• stax-protection-unsupported-region/stax-protection-unsupported-resell will be removed from the AWS Organization root
• FullAWSAccess will be removed from the AWS Organization root
• StaxFullAWSAccess will be created and attached to the AWS Organization root. This policy is a combination of the two aforementioned policies, allowing more service control policies to be attached to the Organization root.

For more information, refer to the documentation on Using Stax-managed AWS Regions.

Stax announced in October 2024 that the Cost and Compliance modules would be shut down on 31 March 2025.

These components of Stax have now been shut down and are no longer accessible. Please see the announcement for more information.

You can now enable the AWS Resource Tagging Standard v1.0.0 and PCI DSS v4.0.1 standards in AWS Security Hub using Stax with the Stax-managed Security Hub using the Stax Console, API, and SDK.

For more information, see Using Stax-managed Security Hub in the docs.

Further configuration options have been added to the AWS Accounts configurable service page to allow you to fine-tune security protections for all Stax-managed AWS Accounts.

For more information, refer to the documentation on Configure AWS Accounts.

Following from our previous announcement, Stax-managed AWS Organizations can now use Configurable Guardrails to improve their security posture for all accounts across an organization using fine-tuned protections.

For more information, refer to the documentation on Configurable Guardrails.

On 24 February 2025, Stax will be releasing Configurable Guardrails as part of its Foundations services. This feature will allow you to further improve and refine your Stax-managed AWS Organization's security posture in an easy-to-use interface. The release is not expected to cause any operational impact, however Service Control Policies created as part of Stax Assurance will be updated as follows:

• stax-protection-standard/stax-protection-partner will be detached from your AWS Organization root, to be replaced with the policies described below.
• stax-protection-aws-baseline-1 will be created and attached to your AWS Organization root.
  • This policy will contain AWS best practice protections set up by the Configurable Guardrails service. You can enable additional protections according to your organization's needs via the Configurable Guardrails foundation service.
  • By default, the policy will provide the same protections to your organization as before.
• stax-protection-stax-resources will be created and attached to your AWS Organization root. This policy will contain protections on critical resources to ensure Stax's functionality.

See Configurable Guardrails for more information.

To support the use of IAM Access Analyzer policy generation, changes are being introduced to the way Stax configures certain policies in AWS, as summarised below. These changes are not expected to cause any operational impact, however some security tools may make a note of their alteration.

On 6 February 2025 at 2200 UTC (Friday, 7 February 9:00 AM AEDT), these changes will commence rolling out across Stax-managed AWS Organizations. The rollout is expected to complete within 3 hours, complete by 7 February 2025 at 0100 UTC.

• The Stax-managed CloudTrail S3 bucket now disables ACLs to align with AWS's S3 recommendedations and bucket defaults
• An additional statement is added to the CloudTrail S3 Bucket Policy to allow read access to the CloudTrail bucket for the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• An additional statement is added to the CloudTrail KMS Key Policy to allow decryption by the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• A new role named /service-role/AccessAnalyzerMonitorServiceRole_stax is added to each Stax-managed AWS Account for use by IAM Access Analyzer Policy generation

For more information about the Stax configuration, see Using IAM Access Analyzer Policy Generation with Stax.

Please raise a support case or contact your Customer Success Manager if you have any questions.

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. As part of our ongoing evergreen initiative, the existing roles used by Stax Assurance and its associated components will be refined to improve security and consistency.

To support this activity, changes will be made to the Stax-managed Service Control Policies for Global Protection in Stax-managed AWS Organizations, and new IAM roles will be created under the /stax path in Stax-managed accounts.

These actions will take place throughout February 2025. There is no expected interruption to service as a result of these changes.

On Thursday 30 January 2025, Stax’s changelog will cease supporting two notification channels you may be making use of: Email subscriptions and Slack notifications.

To continue receiving notifications when Stax releases new changelog entries, consider signing up to the new Changelog RSS/Atom feeds:

RSS: https://support.stax.io/changelog/rss.xml

Atom: https://support.stax.io/changelog/atom.xml

For existing consumers of the RSS and Atom feeds, a redirect will be implemented but you may wish to update to the new URLs now.