Skip to main content

Changes to CIS AWS Foundations Benchmark versions

Stax
Stax
Stax Team

On Tuesday 7th October 2025, Stax will be removing legacy resources in your Stax-managed AWS Accounts that exist to meet earlier version of the CIS AWS Foundations Benchmark.

New resources will be deployed that make use of AWS Organization features to centralize these recommendations to the Management and Security AWS Accounts.

These changes are aimed to reduce the time taken to perform Stax Assurance and reduce the number of Stax-managed resources in your AWS Accounts. This will in turn result in a decrease in cost for your AWS Accounts.

A new SNS Topic named stax-cis-benchmark will be created in the Security account. All CIS recommendations will be forwarding their alarm state to this SNS Topic.

If you are currently subscribed to the existing decentralized stax-assurance-cis-benchmark-EventIngestTopic SNS Topics in each AWS account, you must create a new subscription to the new topic.

You can read more about how Stax and the CIS AWS Foundations Benchmark work together.

If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.

Stax-managed AWS Accounts can now opt-in to require IMDSv2

Stax
Stax
Stax Team

Configuration options have been added to the AWS Accounts Foundation Services page to allow you to fine-tune security protections for all Stax-managed AWS Accounts.

A new toggle to require Instance Metadata Service Version 2 (IMDSv2) has been added. IMDSv2 compliance is included in the CIS AWS Foundations Benchmark.

Before enabling this protection please ensure that your AWS environment is compatible with IMDSv2

This can be further enforced by appling the two Guardrails:

  • Block changes to the EC2 Instance Metadata Service Defaults
  • Block optional as a value for IDMS for EC2 Instance Run and Modify

For more information, refer to the documentation on Configure AWS Accounts.

Changes to Automatically Disable Unused IAM Credentials maximum age

Stax
Stax
Stax Team

Stax currently configures your AWS Accounts to automatically disable unused IAM credentials after 90 days to comply with a previous version of the CIS AWS Foundation Benchmark.

To meet newer versions of the CIS AWS Foundation Benchmark and other frameworks Stax will be lowering the current 90 days to 45 days. You can read more about this at IAM Control and the docs.

This change will be automatically deployed to all AWS Accounts on the 17th September 2025.

If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.

Stax New Managed IAM Roles

Stax
Stax
Stax Team

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. To improve security and consistency, the existing roles used by Stax Assurance and its associated components will be replaced with new roles with fine-grained permissions.

There new roles will be prefixed with the IAM Path /stax/automation/ and have been added to the list of Stax Management Roles.

As a precaution both the existing and new roles will co-exist for a transition period, after which the existing roles will be removed from AWS Accounts. There is no expected interruption to service as a result of these changes.

This change will occur commencing 2025-08-05 and is expected to be completed by the end of the week on 2025-08-15.

Stax-managed AWS Accounts can now opt-in to advanced hardening options to block SSM Document public sharing

Stax
Stax
Stax Team

Further configuration options have been added to the AWS Accounts configurable service page to allow you to fine-tune security protections for all Stax-managed AWS Accounts.

A new toggle to block SSM Document public sharing has been added.

This can be further enforced by appling the Guardrail Block changes to AWS Systems Manager public sharing settings.

For more information, refer to the documentation on Configure AWS Accounts.

Activity Feed Improvements

Stax
Stax
Stax Team

The Activity Feed on the Stax Organization page has been enhanced to include additional context and information, including Tasks activity. The feed now also supports filtering and pagination, and is accessible via the API.

Visit Activity Feed in the docs to learn more.

Stax now supports updating AWS account names

Stax
Stax
Stax Team

Using the Stax Console, API, or SDK, you can now update the AWS Account name of Stax-managed AWS accounts. A new field will display the AWS Account name for a Stax-managed AWS account when viewing, onboarding or updating a Stax-managed account.

When a new Stax-managed AWS account is provisioned, Stax will name this AWS Account the same as the provided Stax name. When a new Stax-managed AWS account is onboarded through discovery the additional AWS Account name field allows you to rename the AWS Account at the same time as it becomes Stax-managed.

See Edit a Stax-Managed AWS Account for more information and to get started.

Stax now supports AWS region disablement

Stax
Stax
Stax Team

Stax-managed AWS Organizations can now disable regions via the Stax console, providing protections against access to regions that are not used by your Stax-managed AWS Organization.

As part of this feature, all Stax-managed AWS Organizations will also see the following changes to their Service Control Policies:

  • stax-protection-unsupported-region/stax-protection-unsupported-resell will be removed from the AWS Organization root
  • FullAWSAccess will be removed from the AWS Organization root
  • StaxFullAWSAccess will be created and attached to the AWS Organization root. This policy is a combination of the two aforementioned policies, allowing more service control policies to be attached to the Organization root.

For more information, refer to the documentation on Using Stax-managed AWS Regions.

Cost and Compliance Removed

Stax
Stax
Stax Team

Stax announced in October 2024 that the Cost and Compliance modules would be shut down on 31 March 2025.

These components of Stax have now been shut down and are no longer accessible. Please see the announcement for more information.