When VPCs are created within the Stax Networks feature, VPC flow logging is enabled. Logs are stored in an S3 bucket in your logging account. To improve the compliance posture of this information, Stax has increased the log retention duration of the VPC flow logs from the default of 90 days to a new value of 365 days.
If you have any questions regarding this change, please raise a support case with your enquiry.
Stax is always working to ensure the security of the platform and our customers. As a result, from time to time, changes are introduced to remove insecure or outdated technology. Transport Layer Security (TLS) 1.2 is the industry-agreed recommended minimum cryptographic protocol for HTTP traffic. As a result, SSL and TLS versions older than TLS 1.2 are no longer supported by the Stax API.
From 2020-09-11 the Stax API will require all communication to use TLS 1.2. We maintain support of the following cipher suites: Supported SSL/TLS protocols and ciphers for regional, private, and WebSocket API endpoints in API Gateway.
Ensure any app or integration you've built to use the Stax API supports TLS 1.2. While most applications and programming languages have supported TLS 1.2 for several years, if yours doesn't, you may need to upgrade your application.
If you're using the Stax SDK, you should not need to make any changes. The Stax SDK requires Python 3.6+, which has built in support for TLS 1.2 (as do most modern programming language versions).
If you have any questions regarding this change, please raise a support case with your enquiry.
To improve the user experience when creating Stax Account Types, two improvements have been introduced.
Added: Reuse of old Account Type names. Previously, Stax Account Type names could not be reused after an Account Type is deleted. This behavior has been changed to permit name reuse.
Fixed: Improved error handling for Account Type creation. In the event that an attempt was made to create an Account Type with the same name as an existing Account Type, the operation would fail silently with no error. An error will now be displayed.
A change has been introduced to the Stax Console and API to allow additional control over federated users within the Stax identity service. These users can now be disabled within the Stax API and Console, not only via a federated identity provider.
Additionally, the deprecated concept of Stax root users has been removed from the identity service.
Changed: Federated users can now be deactivated through the Stax console
Changed: Federated users can now be deactivated through the Stax API/SDK
Removed: Root users are no longer included in the response to a GET request for the Stax API's /users endpoint
Removed: Stax no longer supports filtering on root users
As part of our ongoing commitment to security and reliability, we've made some changes to your IDAM service with release 9.0.3-8-1272a06:
IDAM now runs in a high availability configuration giving you single-AZ (Availability Zone) redundancy
Some changes to the network configuration of IDAM have been made to better meet our recommended best practice approach
Some changes have been made to the IDAM log storage bucket to enforce encryption in line with best practice
These changes have been applied automatically by Stax during our advertised maintenance period.
As per item 2.8 of the CIS AWS Foundations Benchmark, all Customer Master Keys (CMKs) created by the Stax platform in customer AWS accounts now have automatic yearly rotation enabled.
This change does not impact CMKs created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.
This change applies to the following CMKs in your AWS accounts:
spotlight-etl-sns
stax-alarm-sns-key
Below is an excerpt from the CIS AWS Foundations Benchmark document that provides some more context around this recommendation:
2.8 Ensure rotation for customer created CMKs is enabled
AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK keyrotation be enabled.
Stax's Cost & Compliance Real-Time Rule Alerts functionality now supports filtering to allow you to receive targeted notifications for compliance events.
You can use this feature for scenarios where certain recipients should receive specific notifications to their use case:
Receive only high-severity Rule notifications to a shared inbox for processing
Receive alerts only when the S3 Buckets should not be Publicly Open Rule is broken
As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have enforced encryption of data in transit using HTTPS (TLS).
This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.
This change applies to the following legacy S3 buckets in your AWS Accounts:
juma-cloudtrail-*
juma-cloudtrail-master-accesslogbucket-*
juma-cloudtrail-master-jumaaccesslogbucket-*
juma-jumatrail-*
juma-config-*
juma-session-manager-*
The following legacy S3 buckets will be removed in your AWS Accounts:
stax-billing-*
stax-billing-accesslogs-*
juma-billing-*
Please note: The legacy S3 buckets that are removed contain only outdated billing information. These buckets have not been in use since February 2020 and as such no impact is expected by this removal. The best way to access your billing information is with Stax's Cost & Compliance module.
As part of Stax Networks, Gateway VPC Endpoints attached to your Transit VPC can now be modified from your Transit VPC's details drawer.
For more information, see Edit Your Transit VPC within the Manage Networking Hubs documentation.
As per AWS best practices, all SNS topics created by the Stax platform in customer AWS Accounts have encryption enabled using KMS. One unused SNS Topic has been removed from accounts.
Changed: Encrypted stax-assurance-cis-benchmark-EventIngestTopic topic in all accounts
Changed: Encrypted staxtrail-<org-id> topic in logging account
Changed: Encrypted cloudtrail-<org-id> topic in logging account
Changed: Encrypted stax-assurance-event-processor-EventIngestTopic topic in security account
Removed: stax-config-<org-id> topic in logging account, as it was not used
If you have your own sources publishing messages to these topics, you will need to configure the source with the right permissions to be able to continue publishing to the topic. For more information on this,see publishing to encrypted topics.