Stax's Cost & Compliance Real-Time Rule Alerts functionality now supports filtering to allow you to receive targeted notifications for compliance events.
You can use this feature for scenarios where certain recipients should receive specific notifications to their use case:
Receive only high-severity Rule notifications to a shared inbox for processing
Receive alerts only when the S3 Buckets should not be Publicly Open Rule is broken
As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have enforced encryption of data in transit using HTTPS (TLS).
This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.
This change applies to the following legacy S3 buckets in your AWS Accounts:
juma-cloudtrail-*
juma-cloudtrail-master-accesslogbucket-*
juma-cloudtrail-master-jumaaccesslogbucket-*
juma-jumatrail-*
juma-config-*
juma-session-manager-*
The following legacy S3 buckets will be removed in your AWS Accounts:
stax-billing-*
stax-billing-accesslogs-*
juma-billing-*
Please note: The legacy S3 buckets that are removed contain only outdated billing information. These buckets have not been in use since February 2020 and as such no impact is expected by this removal. The best way to access your billing information is with Stax's Cost & Compliance module.
As part of Stax Networks, Gateway VPC Endpoints attached to your Transit VPC can now be modified from your Transit VPC's details drawer.
For more information, see Edit Your Transit VPC within the Manage Networking Hubs documentation.
As per AWS best practices, all SNS topics created by the Stax platform in customer AWS Accounts have encryption enabled using KMS. One unused SNS Topic has been removed from accounts.
Changed: Encrypted stax-assurance-cis-benchmark-EventIngestTopic topic in all accounts
Changed: Encrypted staxtrail-<org-id> topic in logging account
Changed: Encrypted cloudtrail-<org-id> topic in logging account
Changed: Encrypted stax-assurance-event-processor-EventIngestTopic topic in security account
Removed: stax-config-<org-id> topic in logging account, as it was not used
If you have your own sources publishing messages to these topics, you will need to configure the source with the right permissions to be able to continue publishing to the topic. For more information on this,see publishing to encrypted topics.
As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have enforced encryption of data in transit using HTTPS (TLS).
This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.
This change applies to the following S3 buckets in your AWS Accounts:
stax-cloudtrail-<org-id>
stax-cloudtrail-accesslogs-<org-id>
stax-staxtrail-<org-id>
stax-staxtrail-accesslogs-<org-id>
stax-config-<org-id>
stax-config-accesslogs-<org-id>
stax-billing-<org-id>
stax-billing-accesslogs-<org-id>
stax-session-manager-<org-id>
stax-idam-waflogs-<account-id>
A bug has been resolved with the Workloads API's Update Workload method's schema implementation.
The Update Workload schema has been adjusted to remove the CatalogueVersionId as a mandatory property. It also adds CatalogueId and Parameters to the schema documentation to reflect the implementation.
Changed: CatalogueVersionId is now optional
Added: CatalogueId is now defined in the schema
Added: Parameters are now defined in the schema
Stax has released the Stax Foundation Compliance Rule Bundle which assesses the compliance of your AWS accounts against enterprise-grade security controls. The Rule Bundle is a collection of AWS Well-Architected, CIS AWS Foundations Benchmark and Stax best-practice security controls, which will help you to track the safety and security of your accounts.
Head to the Stax Foundation Compliance Rule Bundle on the Rules page within the Stax Console to check it out.
Stax has made it easier to attach and detach Stax Policies to/from your Stax Account Types using the Stax API.
If you attempt to attach a Policy to an Account Type and the Account Type or Policy does not already exist, the API will return a 404 (Not Found) response, instead of a generic 400 (Bad Request) response.
When you attach or detact a Policy to/from an Account Type, the Stax API will now verify if the Policy is already attached or detached. An error will be returned if this occurs.
Only four Stax Policies can be attached to any specific Account Type. If you attempt to attach Policies that would exceed this limit, the API will now validate that and reject the request.
Stax has partnered with AWS to provide Stax customers with a Stax Events AWS EventBridge integration.
Stax Events published to AWS EventBridge will allow customers to monitor and automate actions within their Stax-managed AWS accounts. Customers will be able to receive events about Stax usage, as well as, priority AWS events enriched with contextual Stax information. Leveraging the power of AWS serverless services, such as, AWS Lambda or AWS Step Functions will allow for additional actions to be taken as a result of these events.
In addition to publishing these events to AWS EventBridge, events will also be stored in your logging account's StaxTrail S3 bucket. These new event details will be available at the following path within the S3 bucket: StaxTrail/year/month/day/StaxEventId.gz.
For more details about Stax Events, check out the docs.
A bug has been resolved with the Workloads API's Update Workload method's documentation.
The Update Workload documentation has been clarified to properly reflect the capability to Protect Workloads using the Protection property, as well as mandating the CatalogueVersionId property to ensure the update process occurs correctly.
Added: Protection property (boolean)
Changed: CatalogueVersionId is now mandatory
Changed: Tags now has a more defined object schema
Removed: Name property as it was unused
There is no change to the underlying functionality of the API, this is strictly a documentation/definition update.