Skip to main content

CIS Benchmark version Rule Bundle update for unused credentials

Stax
Stax
Stax Team

A fix has been released to Rule CIS 1.12 - Ensure access keys are rotated every 90/45 days or less to remediate an issue resulting in access keys being incorrectly evaluated as failing. This issue only affected the evaluation of credentials for IAM user with multiple access keys.

If you have any questions, please raise a support case.

Improved search on the Accounts page

Stax
Stax
Stax Team

The Accounts page in the Stax console now allows you to search for all accounts across your Stax tenancy. In addition to this change, performance improvements have been made to decrease page load time on the Accounts page. See the documentation on how to view accounts in the console.

CIS Benchmark Rule update for Network ACL ingress allowed from all hosts

Stax
Stax
Stax Team

An update has been released for Rule *CIS 5.1 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports.*This rule will now flag a Network ACL (NACL) as failing when any of the following conditions are met:

  • There is a NACL rule allowing TCP traffic on SSH (port 22) to all hosts (0.0.0.0/0)

  • There is a NACL rule allowing TCP traffic on RDP (port 3389) to all hosts (0.0.0.0/0)

  • There is a NACL rule allowing all traffic on all ports to all hosts (Note: This will often be the case as this is also the default settings.)

Before the update, this rule evaluated that a NACL rule allowed TCP traffic on both an SSH and RDS port to all hosts. This change will impact customers with CIS Benchmark version 1.3.0 or 1.4.0 Rule Bundle enabled. Customers should expect a change in the compliance score of this rule.

CIS Benchmark version 1.4.0 Rule Bundle update for unused credentials

Stax
Stax
Stax Team

Stax has released an update to the CIS Benchmark version 1.4.0 bundle to align with a change introduced to rule 1.12 in the CIS 1.4 Amazon Web Services Foundation Benchmark specification.

The following rule has been removed from the CIS Benchmark version 1.4.0 Rule Bundle:

  • CIS 1.12 - Ensure access keys are rotated every 90 days or less

The following rule has been added to the CIS Benchmark version 1.4.0 Rule Bundle:

  • CIS 1.12 - Ensure credentials unused for 45 days or greater are disabled

To avoid any loss of historical compliance data, Stax has automatically added the removed rule to your Organization Rules Bundle for customers that had CIS1.4 enabled. If you do not wish to keep the rule, you can remove it from your Organization Rules Bundle by following the process to Disable a Rule.

Update to Rule - CloudFront distributions support insecure SSL protocols

Stax
Stax
Stax Team

The Rule CloudFront distributions support insecure SSL protocols has been updated to evaluate that Amazon CloudFront distributions are configured with TLSv1.2 as the minimum protocol version. CloudFront distributions configured with insecure or deprecated security policies, such as TLS1.1, will now fail this rule.

To add this rule to your Organization Rule Bundle, head to the Rules Catalog page.