Stax has released an update to the CIS Benchmark version 1.4.0 bundle to align with a change introduced to rule 1.12 in the CIS 1.4 Amazon Web Services Foundation Benchmark specification.

The following rule has been removed from the CIS Benchmark version 1.4.0 Rule Bundle:

• CIS 1.12 - Ensure access keys are rotated every 90 days or less

The following rule has been added to the CIS Benchmark version 1.4.0 Rule Bundle:

• CIS 1.12 - Ensure credentials unused for 45 days or greater are disabled

To avoid any loss of historical compliance data, Stax has automatically added the removed rule to your Organization Rules Bundle for customers that had CIS1.4 enabled. If you do not wish to keep the rule, you can remove it from your Organization Rules Bundle by following the process to Disable a Rule.

Stax has resolved an issue so that the Real-Time Rule Alerts feature ignores disabled Rules. Previously only individual resources which had been ignored within a rule were excluded from Real-Time Rule Alerts.

The Rule CloudFront distributions support insecure SSL protocols has been updated to evaluate that Amazon CloudFront distributions are configured with TLSv1.2 as the minimum protocol version. CloudFront distributions configured with insecure or deprecated security policies, such as TLS1.1, will now fail this rule.

To add this rule to your Organization Rule Bundle, head to the Rules Catalog page.

AWS has notified of an upcoming change for Amazon EventBridge cross-account event bus targets.

EventBridge cross-account event bus targets deployed as part of Stax Events have an associated IAM Role with sufficient permissions to perform the action.

No action is required as part of this change. If you have any questions, please raise a support case.

The Explore the cost of your services feature in the Cost module has now been deprecated and removed from the console. Read more.

The Tag Policy feature in the Cost module has now been deprecated and removed from the console. Read more.

The stax-audit-bus EventBridge rule has been deprecated and will be removed from all Stax-managed AWS accounts on 3****1 ** March 2023. **To understand the impact, read more.

An update has been applied to the Stax Identity Service to improve its performance and reliability.

This update upgrades the Stax Identity Service Database's underlying software. This modernises and standardises the infrastructure in use across all of Stax's customers.

These changes have been applied automatically by Stax during the advertised maintenance window. There is no impact to service expected as a result of this upgrade. Should you experience any issues, please raise a support case.

To ensure you receive notice of upcoming changes to Stax, make sure you're subscribed to the status page.

As part of the release of Stax-managed Security Hub a new rule, Security Hub should be enabled for all regions in an account, has been added to the Stax Foundation Compliance Rule Bundle to help you follow recommended best practices.

This compliance score is displayed on the Accounts page. If you've noticed a drop in this score, this may indicate that AWS Security Hub is not configured in that account.

To easily remediate this, configure Stax-managed Security Hub to enable the service across all accounts and supported regions.

The Rules SQS queues have a dead letter queue, and SQS queues should have a dead-letter queue (DLQ), have been updated to ignore queues with a *Redrive Access Policy.*This change means that DLQs that have been configured with a Redrive Access Policy will be ignored and will no longer be evaluated as part of this rule.

To add this rule to your Organization Rule Bundle, head to the Rules Catalog page.