Skip to main content

Response to Codecov Security Advisory

Stax
Stax
Stax Team

On the 15th of April 2021, Codecov notified its users of a security event that had impacted its systems.

At Stax, we believe that security and transparency is of the upmost importance and as such are informing our customers of this event.

No customer action is required, and no customer data has been impacted as a result of this advisory.

Stax's exposure is limited to the use of a GitHub action on the Python SDK code repository. This event has no impact on the Stax platform.

We have responded by following the recommendations provided by Codecov. Artefacts produced by our CI/CD pipeline have been audited and no indicators of compromise were found.

Additional Stax Networks Restricted Subnet Endpoint NACL

Stax
Stax
Stax Team

Stax Networks has created an additional NACL entry for the Restricted Subnet. This allows return TCP traffic from the Networking Hub's Endpoint subnets.

By allowing this return traffic your resources within the Restricted Subnet will be able to utilize the Networking Hub's Interface Endpoints.

The new NACL entry will be created as rule number 130 on the Restrict subnet NACL and will be created on the next update of your VPC with Stax.

If you would like to update your VPC without making any changes to its configuration, you can edit your Networking Hub to modify the tags and trigger an update.

Additional Stax Networks VPC Interface Endpoints

Stax
Stax
Stax Team

Stax Networks now supports enabling five additional Interface Endpoints for VPCs that are part of a Networking Hub:

  • CodeDeploy (codedeploy)

  • CodeDeploy Commands Secure (codedeploy-commands-secure)

  • RDS (rds)

  • RDS Data (rds-data)

  • S3 (s3-interface)

You can enable these Interface Endpoints for new and existing Networking Hubs using the Stax Console, API, or SDK. See Manage Networking Hubs for more.

Simpler Date Selection on Data Page

Stax
Stax
Stax Team

The Data page now has a date picker to make it easier to select a time range. You can choose either a single month, or a range of months.

Navigate to the Data page now to try it out!

Updated Notifications Experience and Microsoft Teams Functionality

Stax
Stax
Stax Team

The Notifications page has been redesigned to provide a more intuitive and simple user experience. Notifications are now managed through a tabulated window, with each delivery channel located on a seperate tab.

Stax also now supports sending notifications via Microsoft Teams, in addition to the existing email, webhook, and Slack delivery channels. Simply create an incoming webhook for your Teams channel and select the notifications you'd like to receive. For more information, see the documentation.

Revised Cost & Compliance Role Permissions

Stax
Stax
Stax Team

Stax has released a new version of the Cost & Compliance module's service and billing roles, version 30. In keeping with our principle of least-privilege, Stax has revised the permissions this role requires.

Specifically, Stax no longer requires access to AWS Support APIs to complete compliance discovery tasks.

If your AWS accounts are Stax-managed, then you don't need to take any action. Stax will automatically update this role in the coming days.

If you're subscribed only to the Stax Cost & Compliance module, you will need to apply the update yourself.

As always, Stax recommends that you regularly review your IAM permissions. It is important to confirm that they align with the principle of least-privilege, and with the AWS Well-Architected Framework. For any questions around this change, or if you need assistance deploying the updated role, please raise a support case.

Stax Networks Redundant NAT Gateways

Stax
Stax
Stax Team

When deploying Networking Hubs using Stax Networks, a NAT Gateway can be deployed for egress connectivity from private subnets. By default, when enabled, Stax provisions a single NAT Gateway which resides in a single Availability Zone (AZ). An outage of that AZ would result in egress connectivity failing for private subnets in that Networking Hub.

Stax has introduced a new feature to allow deployment of highly available NAT Gateways that are redundant at the Availability Zone level. These can be deployed into networks provisioned using Stax Networks. You can make use of this feature when creating a new, or updating an existing, Networking Hub.

At this time, the feature is available via the Stax API and the Python SDK.

New Region Osaka Blocked

Stax
Stax
Stax Team

AWS has had a Local Zone in Osaka for some time (ap-northeast-3). Recently, this region has been increased in capacity and released to the general public for use.

This region does not yet meet Stax's minimum requirements for a new region. In line with our AWS Region Policy, we have disabled activity in the region for Stax-managed AWS accounts using a Stax Policy. This restriction is in place until such a time as the region does meet Stax's minimum requirements.

If you anticipate this restriction impacting you, or if you have intentions to use this region, please raise a support case.

Tag Validation Added to Stax Networks

Stax
Stax
Stax Team

Stax is enhancing the validation around tags applied to networking resources created using Stax Networks. Stax Networks supports tagging networking resources to allow enhanced flexibility in how you identify resources it creates.

The Stax API will now perform additional validation against tags supplied for your these resources. The validation is designed to help you comply with AWS's guidance for tagging EC2 resources.

The updated API schema for your region (stax-au1, stax-eu1, stax-us1) provides more information.

If you have any questions about how this change may impact you, please raise a support case.

Stax Python SDK v1.1.2 released

Stax
Stax
Stax Team

Version 1.1.2 of the Python SDK has been released.

This is an update to lock the dependency openapi-spec-validator to version 0.2.9. This is due to breaking validation changes being introduced in the most recent versions of the dependency.

For more details about the Python SDK, check it out on Github.