Account tags in Stax will now propagate to the AWS account in AWS Organizations.

Since inception, Stax has permitted assigning tags to Stax-managed accounts. Those tags will now be propagated to the underlying AWS account. Tags will be in the format of stax:user:<tag_key>.

In addition to any tags you create, Stax assigns other tags to Stax-managed AWS accounts, including:

• stax:organisationid (The identifier for your Stax tenancy, in UUID format)

• stax:accounttypeid (The identifier for the account's Account Type, in UUID format)

• stax:accounttypename (The name of the account's Account Type)

• stax:accountname (The name of the account)

It is important to note that changes made to account tags directly within AWS will not be reflected in Stax, so it is recommended that you make changes to account tags from within Stax using the console, API, or SDK.

Stax will update its account bootstrap process from July 1, 2021. After this time, the AWS account alias will no longer be generated or modified.

For existing accounts that already have an alias, the alias will remain unchanged.

This does not prevent you from creating an account alias at a later stage.

Advanced Routing for Stax Networks allows for modification of Transit Gateway and VPC subnet route tables using prefix lists.

This new feature allows for configuration of route table entries in both Networking Hubs or VPCs directly. These entries can direct traffic to other VPCs, VPNs, on-premises networks, or black holes.

To get started, see Advanced Routing in the docs. You'll need to have at least one Stax Networking Hub already in place.

Stax has updated a series of rules detecting publicly open S3 buckets to improve the logic around checking for permissions.

Previously, the given rules would require explicit matches of a policy with either the action of s3:GetObject or s3:PutObject, meaning policies which allowed s3:*, or an array of actions, wouldn't be considered correctly for the purposes of compliance.

This potentially resulted in false negatives for the affected rules, whereby a bucket wouldn't be considered to be publicly open when it had a directly attached policy, and a previously-invalid policy. This does not affect reporting for buckets where public access block was enabled, or where global grants were given.

The list of affected rules is as follows:

• S3 allows action to any principal in Organization Rules

• S3 Buckets should not be Publicly Open for Writes in Organization Rules

• S3 Buckets should not be Publicly Open for Reads in Organization Rules

• S3 Buckets should not be Publicly Open for Writes in S3 Best Practices, versions 1.0 and 1.1

• S3 Buckets should not be Publicly Open for Reads in S3 Best Practices, versions 1.0 and 1.1

Below is an example policy that would previously incorrectly pass these rules, but now will fail appropriately:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToMyBucket",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::hello-world-this-is-a-bucket/*",
        }
    ]
}

If you see previously existing buckets now showing as noncompliant, it is possible that they were previously ignored by this edge case. For any questions around this change, or if you need assistance understand how the change applies to your buckets, please raise a support case.

Stax has added additional Stax Networks code examples to the Python SDK.

Check out the Python SDK to get started.

Stax has introduced a new Rule for monitoring IAM User API key rotation, regardless of whether the keys are active or inactive.

This is particularly useful for situations where IAM User Keys may be deactivated either temporarily or permanently prior to deletion.

Add this Rule on the Rules page to get started.

An update has been applied to Stax's Events service to resolve a bug where AWS-generated events were not delivered as expected.

The Events documentation indicates that AWS-generated events raised in Stax-managed AWS accounts are centralized into the default AWS EventBridge Event Bus in your security account. The actual behaviour exhibited was that events were only emitted to the EventBridge Event Bus for events in the security and logging accounts.

The fix for this bug may result in a material increase to the volume of events received. If you have a downstream system (such as a SIEM) configured, you should consider any volume constraints that may be encountered by this increase in volume.

This fix is being rolled out to affected Stax tenancies over the coming days.

If you have any questions about this change, please contact your Customer Success Manager or raise a support case.

An update has been applied to the Stax Identity Service to improve performance and reliability.

The update implements security and stability updates to the underlying software. No functional changes have been introduced.

These changes have been applied automatically by Stax during the advertised maintenance window. There is no impact to service expected as a result of this upgrade. Should you experience any issues, please raise a support case.

Stax has introduced an improved interface to make it easier to filter and group data on the Data page.

The new left-hand panel allows you to explore possible filtering and grouping criteria. Power users can still use the filtering and grouping fields on the Data page to manually enter criteria.

Choose the criteria you want to filter by using the checkboxes, or choose Group to group on it. Click Search at the bottom of the panel to show the changes on the Data page.

Once the data is filtered as desired, you can show and hide columns using the new Show/Hide Columns button at the top left-hand size of the data table.

Stax Cost & Compliance now allows the following values to be set when creating Cost Spike Alerts:

• Alert sensitivity

• Minumum dollar increase

Cost Spike Alerts can help you keep an eye on those parts of your AWS account that are prone to exceeding their monthly budget, or have unpredictable costs that you need to stay on top of.

For guidance on configuring these alerts, check out the documentation.