On the 15th of April 2021, Codecov notified its users of a security event that had impacted its systems.

At Stax, we believe that security and transparency is of the upmost importance and as such are informing our customers of this event.

No customer action is required, and no customer data has been impacted as a result of this advisory.

Stax's exposure is limited to the use of a GitHub action on the Python SDK code repository. This event has no impact on the Stax platform.

We have responded by following the recommendations provided by Codecov. Artefacts produced by our CI/CD pipeline have been audited and no indicators of compromise were found.

Stax Networks has created an additional NACL entry for the Restricted Subnet. This allows return TCP traffic from the Networking Hub's Endpoint subnets.

By allowing this return traffic your resources within the Restricted Subnet will be able to utilize the Networking Hub's Interface Endpoints.

The new NACL entry will be created as rule number 130 on the Restrict subnet NACL and will be created on the next update of your VPC with Stax.

If you would like to update your VPC without making any changes to its configuration, you can edit your Networking Hub to modify the tags and trigger an update.

Stax Networks now supports enabling five additional Interface Endpoints for VPCs that are part of a Networking Hub:

• CodeDeploy (codedeploy)

• CodeDeploy Commands Secure (codedeploy-commands-secure)

• RDS (rds)

• RDS Data (rds-data)

• S3 (s3-interface)

You can enable these Interface Endpoints for new and existing Networking Hubs using the Stax Console, API, or SDK. See Manage Networking Hubs for more.

The Data page now has a date picker to make it easier to select a time range. You can choose either a single month, or a range of months.

Navigate to the Data page now to try it out!

The Notifications page has been redesigned to provide a more intuitive and simple user experience. Notifications are now managed through a tabulated window, with each delivery channel located on a seperate tab.

Stax also now supports sending notifications via Microsoft Teams, in addition to the existing email, webhook, and Slack delivery channels. Simply create an incoming webhook for your Teams channel and select the notifications you'd like to receive. For more information, see the documentation.

Stax has released a new version of the Cost & Compliance module's service and billing roles, version 30. In keeping with our principle of least-privilege, Stax has revised the permissions this role requires.

Specifically, Stax no longer requires access to AWS Support APIs to complete compliance discovery tasks.

If your AWS accounts are Stax-managed, then you don't need to take any action. Stax will automatically update this role in the coming days.

If you're subscribed only to the Stax Cost & Compliance module, you will need to apply the update yourself.

As always, Stax recommends that you regularly review your IAM permissions. It is important to confirm that they align with the principle of least-privilege, and with the AWS Well-Architected Framework. For any questions around this change, or if you need assistance deploying the updated role, please raise a support case.

When deploying Networking Hubs using Stax Networks, a NAT Gateway can be deployed for egress connectivity from private subnets. By default, when enabled, Stax provisions a single NAT Gateway which resides in a single Availability Zone (AZ). An outage of that AZ would result in egress connectivity failing for private subnets in that Networking Hub.

Stax has introduced a new feature to allow deployment of highly available NAT Gateways that are redundant at the Availability Zone level. These can be deployed into networks provisioned using Stax Networks. You can make use of this feature when creating a new, or updating an existing, Networking Hub.

At this time, the feature is available via the Stax API and the Python SDK.

AWS has had a Local Zone in Osaka for some time (ap-northeast-3). Recently, this region has been increased in capacity and released to the general public for use.

This region does not yet meet Stax's minimum requirements for a new region. In line with our AWS Region Policy, we have disabled activity in the region for Stax-managed AWS accounts using a Stax Policy. This restriction is in place until such a time as the region does meet Stax's minimum requirements.

If you anticipate this restriction impacting you, or if you have intentions to use this region, please raise a support case.

Stax is enhancing the validation around tags applied to networking resources created using Stax Networks. Stax Networks supports tagging networking resources to allow enhanced flexibility in how you identify resources it creates.

The Stax API will now perform additional validation against tags supplied for your these resources. The validation is designed to help you comply with AWS's guidance for tagging EC2 resources.

The updated API schema for your region (stax-au1, stax-eu1, stax-us1) provides more information.

If you have any questions about how this change may impact you, please raise a support case.

Version 1.1.2 of the Python SDK has been released.

This is an update to lock the dependency openapi-spec-validator to version 0.2.9. This is due to breaking validation changes being introduced in the most recent versions of the dependency.

For more details about the Python SDK, check it out on Github.