A fix has been released to Rule CIS 1.12 - Ensure access keys are rotated every 90/45 days or less to remediate an issue resulting in access keys being incorrectly evaluated as failing. This issue only affected the evaluation of credentials for IAM user with multiple access keys.
If you have any questions, please raise a support case.
The Accounts page in the Stax console now allows you to search for all accounts across your Stax tenancy. In addition to this change, performance improvements have been made to decrease page load time on the Accounts page. See the documentation on how to view accounts in the console.
SCIM is now supported for organizations using Azure AD. See the step-by-step instructions on how to configure your Azure AD instance to sync users and groups into Stax.
As announced in October, from today, only 3 years of cost and usage data will be available in the Cost module. Read More.
An update has been released for Rule *CIS 5.1 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports.*This rule will now flag a Network ACL (NACL) as failing when any of the following conditions are met:
There is a NACL rule allowing TCP traffic on SSH (port 22) to all hosts (0.0.0.0/0)
There is a NACL rule allowing TCP traffic on RDP (port 3389) to all hosts (0.0.0.0/0)
There is a NACL rule allowing all traffic on all ports to all hosts (Note: This will often be the case as this is also the default settings.)
Before the update, this rule evaluated that a NACL rule allowed TCP traffic on both an SSH and RDS port to all hosts. This change will impact customers with CIS Benchmark version 1.3.0 or 1.4.0 Rule Bundle enabled. Customers should expect a change in the compliance score of this rule.
As part of the improvements to the creation and scheduling of tasks with the Tasks API, a new OperationStatusof CREATEDhas been added to the API. Read more.
Stax has released an update to the CIS Benchmark version 1.4.0 bundle to align with a change introduced to rule 1.12 in the CIS 1.4 Amazon Web Services Foundation Benchmark specification.
The following rule has been removed from the CIS Benchmark version 1.4.0 Rule Bundle:
CIS 1.12 - Ensure access keys are rotated every 90 days or less
The following rule has been added to the CIS Benchmark version 1.4.0 Rule Bundle:
CIS 1.12 - Ensure credentials unused for 45 days or greater are disabled
To avoid any loss of historical compliance data, Stax has automatically added the removed rule to your Organization Rules Bundle for customers that had CIS1.4 enabled. If you do not wish to keep the rule, you can remove it from your Organization Rules Bundle by following the process to Disable a Rule.
Stax has resolved an issue so that the Real-Time Rule Alerts feature ignores disabled Rules. Previously only individual resources which had been ignored within a rule were excluded from Real-Time Rule Alerts.
The Rule CloudFront distributions support insecure SSL protocols has been updated to evaluate that Amazon CloudFront distributions are configured with TLSv1.2 as the minimum protocol version. CloudFront distributions configured with insecure or deprecated security policies, such as TLS1.1, will now fail this rule.
To add this rule to your Organization Rule Bundle, head to the Rules Catalog page.
AWS has notified of an upcoming change for Amazon EventBridge cross-account event bus targets.
EventBridge cross-account event bus targets deployed as part of Stax Events have an associated IAM Role with sufficient permissions to perform the action.
No action is required as part of this change. If you have any questions, please raise a support case.