Stax has enabled AWS Cost Optimization Hub, centralizing cost savings opportunities and recommendations for your entire organization within the Management account. Furthermore, Stax configures AWS Compute Optimizer for your tenancy, enriching your optimization findings and recommendations.

To get started, log into AWS in your Stax-managed Management account and navigate to Cost Optimization Hub within the AWS Billing and Cost Management Console.

As announced, Stax has uplifted the Stax-managed Security Hub service, aligning our solution with the newly released AWS Security Hub central configuration capability. Review our guide to understand the change in more detail.

If you have questions or concerns regarding the changes, please reach out by raising a support case.

As announced on 15 December 2023, the following deprecated Stax API endpoints have been removed from stax-au1, stax-us1, and stax-eu1 and are no longer supported by Stax API/SDK:

**- Fetch IDAM Users **GET /20190206/idam/user

**- Fetch IDAM User ** GET /20190206/idam/user/{org_id}

The following endpoints should be used instead:

-** Fetch Stax Users and Federated Users** GET /20190206/users

• Fetch Stax User and Federated User GET /20190206/users/{user_id}

If you have any concerns, please raise a support case.

As announced on 7 December 2023, the stax-audit-bus EventBridge rule has been removed from all Stax-managed AWS accounts. Please review our guide for more information.

On 12 February 2024, Stax will implement changes to the configuration of Stax-managed Security Hub. This update will align the Stax-managed Security Hub service with the new AWS Security Hub central configuration capability announced by AWS.

If you have already enabled Stax-managed Security Hub, you will be impacted by this change.

Ensure you review our guide to understand the change, impacts, and actions you need to take before 12 February 2024.

If you have questions or concerns regarding the changes, please reach out by raising a support case.

On 02 April 2024, Stax will deprecate stax2aws versions 1.4.3 and older. These versions of the Stax Command Line Interface (CLI) utilize a device authorization grant solution which is being deprecated.

All users will be required to upgrade to version 1.5.0 of stax2aws on or before 02 ** April 2024 **to continue using the Stax CLI.

In addition, on 02 April 2024, Stax will remove the obsolete device flow resources from Stax-managed security accounts. No customer action is required for this part of the change and we will inform you when this change has been applied.

If you have questions or concerns regarding the changes, please reach out by raising a support case.

Version 1.5.0 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• simplified the OAuth 2.0 device authorization implementation

  • support added for native OAuth 2.0 device authorization grant
  • support for custom Stax device flow authorization grant removed

• updated dependencies and security patches

As announced on 17 January 2024, Stax has implemented a change in Stax-managed AWS Config to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region only.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions.

Importantly, this change will not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that recording of global resources is only required in one region. For more details, refer to the CIS AWS Benchmark.

Impact of change

• Customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.

• Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides:

- AWS Config Rules and Global Resource Types

- Security Hub controls that you might want to disable

Stax has released a new compliance rule called EC2 instances should not be too old, allowing customers to continuously monitor their EC2 instances’ age based on their organizations requirements. This rule helps align with best practices to ensure the regularly updating, patching and restarting of EC2 instances.

This rule evaluates whether an EC2 instance’s launch time exceeds the specified number of days (Instance Age parameter). The default Instance Age parameter is set to 60 days if no value is specified.

To add any of this new rules to your Organization Rule Bundle, head to the Rules Catalog page.

On 23 January 2024, Stax will implement a change to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions. Additionally, this change may help customers in reducing their AWS Config costs.

Importantly, this change does not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that including global resources related to IAM resources is required in only one region. For more details, refer to the CIS AWS Benchmark.

Impact of change

• After the change, customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.
• Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides: - AWS Config Rules and Global Resource Types - Security Hub controls that you might want to disable