On 28 February 2023 at 0200 UTC (Tuesday, 28 February 1300 AEDT), Stax will update lifecycle configuration to expire non-current S3 object versions on the following S3 buckets in logging foundation account:

• stax-config-<org-uuid>
• stax-config-accesslogs-<org-uuid>

In each case above, the <org-uuid> placeholder is replaced by the UUID representing your Stax tenancy/AWS organization within Stax.

These S3 buckets are created and managed by Stax, and the usage of them is defined in the docs.

Stax has introduced support for the Center for Internet Security's Amazon Web Services Foundations Benchmark version 1.5.0. This introduces the following changes over the previous iteration, version 1.4.0:

Three new rules were added to the Benchmark:

• 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
• 2.3.3 Ensure that public access is not given to RDS Instance
• 2.4.1 Ensure that encryption is enabled for EFS file systems
• 4.16 Ensure AWS Security Hub is enabled
• 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports

One rule has been changed:

• 3.8 Ensure rotation for customer created symmetric CMKs is enabled

The Rule Bundle cannot validate all components of the Benchmark, so the following items must be evaluated manually:

• 1.1: Maintain current contact details
• 1.2: Ensure security contact information is registered
• 1.3: Ensure security questions are registered in the AWS account
• 1.18: Ensure IAM instance roles are used for AWS resource access from instances
• 1.21: Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
• 2.1.4: Ensure all data in Amazon S3 has been discovered, classified and secured when required
• 5.4: Ensure routing tables for VPC peering are "least access"

To enable this new version of the Bundle, see Keep Bundles Up To Date. If you have automatic updates enabled on the CIS Benchmark Bundle, Stax will automatically update you to version 1.5.0.

Stax has released a change to the rule EC2 instances do not use termination protection in the EC2 Best Practice Rule Bundle.*** ***EC2 instances managed by an auto-scaling group will now be ignored by this rule as their creation and termination is managed automatically by this AWS service.

From today, organizations with this rule enabled, who are using EC2 Auto Scaling groups, can expect to see a decrease in the number of resources failing this rule and an increase in the overall compliance result of the rule.

On 27 February 2023, Stax will be making a change to the rule EC2 instances do not use termination protection in the EC2 Best Practice Rule Bundle which could impact the compliance score of this rule***. ***After this date, EC2 instances managed by an auto-scaling group will be ignored by this rule as their creation and termination is managed automatically by this AWS service.

Organizations with this rule enabled who are using EC2 Auto Scaling groups can expect to see a decrease in the number of resources failing this rule and an increase in the overall compliance result of the rule.

As announced on 18th of January, the Fetch Account Types API now excludes closed accounts from the response.

For more information, review the API documentation for your region: Stax API Documentation and Endpoints

As announced on 19 January 2023, Stax has introduced resource locking for all account operations. Instead of allowing multiple simultaneous operations on a single account and potentially causing conflict, Stax will return a 409 Conflictresponse. Read more

Stax is required to limit the length of active user sessions to meet security and compliance obligations. It was recently identified that some sessions exceeded the required timeout. These sessions have been invalidated, and improved timeouts introduced.

Affected users will be required to log in to Stax again, but no other functionality is impacted. Stax login URLs are different in different regions, and are available in the docs.

AWS launched the new ap-southeast-4 region on 23 January, 2023. Stax has prerequisites that must be met in order to fully support regions, including requiring that critical security services are made available, so only has limited support for this new region initially.

Please refer to the Supported Regions documentation to familiarize yourself with Stax's compatibility with all regions.

On 5 February 2023 at 0030 UTC (Sunday, 5 February 1130 AEDT), Stax will introduce resource locking for all account operations. Instead of allowing multiple simultaneous operations on a single account and potentially causing conflict, Stax will return a 409 Conflictresponse. Read more

Fetch Account Types API currently returns the account type details including any accounts (with any status) associated with the account type.

The API response will now exclude any closed accounts and will be live in stax-au1, stax-us1 and stax-eu1 on Wednesday 1st February at 0200 UTC (Tuesday 2nd February at 1300 AEST).

If you have any concerns about the change, please raise a support case.