You can now enable the AWS Resource Tagging Standard v1.0.0 and PCI DSS v4.0.1 standards in AWS Security Hub using Stax with the Stax-managed Security Hub using the Stax Console, API, and SDK.

For more information, see Using Stax-managed Security Hub in the docs.

Further configuration options have been added to the AWS Accounts configurable service page to allow you to fine-tune security protections for all Stax-managed AWS Accounts.

For more information, refer to the documentation on Configure AWS Accounts.

Following from our previous announcement, Stax-managed AWS Organizations can now use Configurable Guardrails to improve their security posture for all accounts across an organization using fine-tuned protections.

For more information, refer to the documentation on Configurable Guardrails.

On 24 February 2025, Stax will be releasing Configurable Guardrails as part of its Foundations services. This feature will allow you to further improve and refine your Stax-managed AWS Organization's security posture in an easy-to-use interface. The release is not expected to cause any operational impact, however Service Control Policies created as part of Stax Assurance will be updated as follows:

• stax-protection-standard/stax-protection-partner will be detached from your AWS Organization root, to be replaced with the policies described below.
• stax-protection-aws-baseline-1 will be created and attached to your AWS Organization root.
  • This policy will contain AWS best practice protections set up by the Configurable Guardrails service. You can enable additional protections according to your organization's needs via the Configurable Guardrails foundation service.
  • By default, the policy will provide the same protections to your organization as before.
• stax-protection-stax-resources will be created and attached to your AWS Organization root. This policy will contain protections on critical resources to ensure Stax's functionality.

See Configurable Guardrails for more information.

To support the use of IAM Access Analyzer policy generation, changes are being introduced to the way Stax configures certain policies in AWS, as summarised below. These changes are not expected to cause any operational impact, however some security tools may make a note of their alteration.

On 6 February 2025 at 2200 UTC (Friday, 7 February 9:00 AM AEDT), these changes will commence rolling out across Stax-managed AWS Organizations. The rollout is expected to complete within 3 hours, complete by 7 February 2025 at 0100 UTC.

• The Stax-managed CloudTrail S3 bucket now disables ACLs to align with AWS's S3 recommendedations and bucket defaults
• An additional statement is added to the CloudTrail S3 Bucket Policy to allow read access to the CloudTrail bucket for the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• An additional statement is added to the CloudTrail KMS Key Policy to allow decryption by the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• A new role named /service-role/AccessAnalyzerMonitorServiceRole_stax is added to each Stax-managed AWS Account for use by IAM Access Analyzer Policy generation

For more information about the Stax configuration, see Using IAM Access Analyzer Policy Generation with Stax.

Please raise a support case or contact your Customer Success Manager if you have any questions.

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. As part of our ongoing evergreen initiative, the existing roles used by Stax Assurance and its associated components will be refined to improve security and consistency.

To support this activity, changes will be made to the Stax-managed Service Control Policies for Global Protection in Stax-managed AWS Organizations, and new IAM roles will be created under the /stax path in Stax-managed accounts.

These actions will take place throughout February 2025. There is no expected interruption to service as a result of these changes.

On Thursday 30 January 2025, Stax’s changelog will cease supporting two notification channels you may be making use of: Email subscriptions and Slack notifications.

To continue receiving notifications when Stax releases new changelog entries, consider signing up to the new Changelog RSS/Atom feeds:

RSS: https://support.stax.io/changelog/rss.xml

Atom: https://support.stax.io/changelog/atom.xml

For existing consumers of the RSS and Atom feeds, a redirect will be implemented but you may wish to update to the new URLs now.

Stax-managed AWS Organizations can now use the AWS Organizations declarative policies feature to centrally declare and enforce desired configuration for a given AWS service at scale across an organization. See the documentation for more details on how Stax assists with this here.

Version 1.5.2 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• Updated dependencies and security patches
• Internal tooling improvements

AWS recently announced central management for root user credentials for AWS Organizations. This new security best practice greatly improves security for accounts within AWS Organizations by supporting removal of their root user credentials.

On Monday, 2 December 2024, Stax will enable this functionality for all AWS Organizations utilizing Stax.

For existing accounts within Stax-managed AWS Organizations, you may choose to remove the root user credential yourself by following AWS's guidance. For new AWS accounts created using the Stax Accounts feature, root user credentials will no longer be provisioned.

See Centralized root access for member accounts for more information.