Skip to main content

Stax now supports updating AWS account names

Stax
Stax
Stax Team

Using the Stax Console, API, or SDK, you can now update the AWS Account name of Stax-managed AWS accounts. A new field will display the AWS Account name for a Stax-managed AWS account when viewing, onboarding or updating a Stax-managed account.

When a new Stax-managed AWS account is provisioned, Stax will name this AWS Account the same as the provided Stax name. When a new Stax-managed AWS account is onboarded through discovery the additional AWS Account name field allows you to rename the AWS Account at the same time as it becomes Stax-managed.

See Edit a Stax-Managed AWS Account for more information and to get started.

Stax now supports AWS region disablement

Stax
Stax
Stax Team

Stax-managed AWS Organizations can now disable regions via the Stax console, providing protections against access to regions that are not used by your Stax-managed AWS Organization.

As part of this feature, all Stax-managed AWS Organizations will also see the following changes to their Service Control Policies:

  • stax-protection-unsupported-region/stax-protection-unsupported-resell will be removed from the AWS Organization root
  • FullAWSAccess will be removed from the AWS Organization root
  • StaxFullAWSAccess will be created and attached to the AWS Organization root. This policy is a combination of the two aforementioned policies, allowing more service control policies to be attached to the Organization root.

For more information, refer to the documentation on Using Stax-managed AWS Regions.

Cost and Compliance Removed

Stax
Stax
Stax Team

Stax announced in October 2024 that the Cost and Compliance modules would be shut down on 31 March 2025.

These components of Stax have now been shut down and are no longer accessible. Please see the announcement for more information.

Configurable Guardrails Notice

Stax
Stax
Stax Team

On 24 February 2025, Stax will be releasing Configurable Guardrails as part of its Foundations services. This feature will allow you to further improve and refine your Stax-managed AWS Organization's security posture in an easy-to-use interface. The release is not expected to cause any operational impact, however Service Control Policies created as part of Stax Assurance will be updated as follows:

  • stax-protection-standard/stax-protection-partner will be detached from your AWS Organization root, to be replaced with the policies described below.
  • stax-protection-aws-baseline-1 will be created and attached to your AWS Organization root.
    • This policy will contain AWS best practice protections set up by the Configurable Guardrails service. You can enable additional protections according to your organization's needs via the Configurable Guardrails foundation service.
    • By default, the policy will provide the same protections to your organization as before.
  • stax-protection-stax-resources will be created and attached to your AWS Organization root. This policy will contain protections on critical resources to ensure Stax's functionality.

See Configurable Guardrails for more information.

Changes to S3, KMS, and IAM Policies to facilitate IAM Access Analyzer policy generation

Stax
Stax
Stax Team

To support the use of IAM Access Analyzer policy generation, changes are being introduced to the way Stax configures certain policies in AWS, as summarised below. These changes are not expected to cause any operational impact, however some security tools may make a note of their alteration.

On 6 February 2025 at 2200 UTC (Friday, 7 February 9:00 AM AEDT), these changes will commence rolling out across Stax-managed AWS Organizations. The rollout is expected to complete within 3 hours, complete by 7 February 2025 at 0100 UTC.

  • The Stax-managed CloudTrail S3 bucket now disables ACLs to align with AWS's S3 recommendedations and bucket defaults
  • An additional statement is added to the CloudTrail S3 Bucket Policy to allow read access to the CloudTrail bucket for the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
  • An additional statement is added to the CloudTrail KMS Key Policy to allow decryption by the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
  • A new role named /service-role/AccessAnalyzerMonitorServiceRole_stax is added to each Stax-managed AWS Account for use by IAM Access Analyzer Policy generation

For more information about the Stax configuration, see Using IAM Access Analyzer Policy Generation with Stax.

Please raise a support case or contact your Customer Success Manager if you have any questions.

Stax Managed IAM Role Improvements

Stax
Stax
Stax Team

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. As part of our ongoing evergreen initiative, the existing roles used by Stax Assurance and its associated components will be refined to improve security and consistency.

To support this activity, changes will be made to the Stax-managed Service Control Policies for Global Protection in Stax-managed AWS Organizations, and new IAM roles will be created under the /stax path in Stax-managed accounts.

These actions will take place throughout February 2025. There is no expected interruption to service as a result of these changes.

Changes to Stax's changelog notifications

Stax
Stax
Stax Team

On Thursday 30 January 2025, Stax’s changelog will cease supporting two notification channels you may be making use of: Email subscriptions and Slack notifications.

To continue receiving notifications when Stax releases new changelog entries, consider signing up to the new Changelog RSS/Atom feeds:

RSS: https://support.stax.io/changelog/rss.xml

Atom: https://support.stax.io/changelog/atom.xml

For existing consumers of the RSS and Atom feeds, a redirect will be implemented but you may wish to update to the new URLs now.