To gain detailed insights into your AWS cost information, or to feed billing information into third-party tools, you can now opt-in to have your Stax-managed AWS Cost and Usage Reports (CURs) exported directly to an S3 bucket in your AWS Organization's logging account. To find out more, see Opt-in to Stax-managed CUR export to the Logging Accountin the docs.
In addition to viewing your rule-level compliance score based on passing and failing rules, Stax Compliance users can now view compliance scores calculated by the number of passing/failing resources. This new resource-level compliance view enables resource-focused operational insights and remediation.
Choose the vertical ellipsis (⋮) under the summary results on the Rule page to change how the compliance score is calculated. See our guide for more details.
What’s Changing? Stax has decided to remove the chat support button from the Cost and Compliance segments of Stax. While this feature is being deprecated, you can communicate with the Stax support team by clicking the “Support” button on the lower left-hand side of the console. This change aligns with our commitment to improving our services and catering to your needs effectively.
If you have any questions, encounter any issues, or require any further assistance with this change, please do not hesitate to contact our support team using the Support button in the lower left of your console or via https://stax.io/support
Thanks, The team at Stax
A number of Rule names have been updated to improve usability and standardize rule names across all Rule Bundles. To find out more, visit the Stax Compliance module guide.
As announced on 04 September 2023, Stax has released a fix for an issue resulting in some out-of-date RI recommendations being collected from AWS member accounts.
Stax has released a change to only show RI recommendations that are less than 30 days old making the current recommendations and savings opportunities more accurate. Customers may notice a decrease in the **Total Potential Yearly Saving **and a reduction in the number of savings opportunities displayed.
This change does not impact RI recommendations generated by Stax within the AWS management account which are scoped to all accounts in the organization's consolidated billing family. These recommendations cover both the management account and member accounts and are refreshed daily.
Stax Notifications now supports the ability to create multiple of the same notification types for any delivery channel. This change provides greater flexibility and personalization and makes managing your Stax Cost & Compliance notifications much easier. See Manage Notifications for more details.
As of December 31st, AWS will no longer provide support for the Go 1.x runtime in AWS Lambda, as announced in this AWS blog post.
This change will be deployed to all affected Stax-managed Lambda functions before December 31, 2023. No customer action is required for this change and we will inform you when this change has been applied.
For any further questions, please raise a support case.
On 11 September 2023, Stax will be releasing a change to remediate an issue impacting Reserved Instance (RI) recommendations shown within the Reserved Instances tab on the Savings Plans & RIs page. This issue is resulting in some out-of-date RI recommendations being collected from AWS member accounts.
After the change, Stax will only show RI recommendations that are less than 30 days old making the current recommendations and savings opportunities more accurate. Customers may notice a decrease in the **Total Potential Yearly Saving **and a reduction in the number of savings opportunities displayed.
This change does not impact RI recommendations generated by Stax within the AWS management account which are scoped to all accounts in the organization's consolidated billing family. These recommendations cover both the management account and member accounts and are refreshed daily.
The NIST Cybersecurity Framework Rule Bundle is now available to all organizations. This Bundle is designed to help customers fortify their AWS environment against cyber threats and strengthen their security posture.
The new bundle currently includes 86 controls and over 16 new rules, with more to be added during the preview phase.
Add the Bundle to your Stax console to get started. Once added, Stax will perform an initial evaluation and populate the Rules page with new results. You can filter the page to show only results from the NIST Cybersecurity Framework bundle if preferred. Alternatively, to add any of the new rules to your Organization Rule Bundle, head to the Rules Catalog page.
As part of our ongoing maintenance and improvement of rules and rule bundles, we are updating rules related to AWS CloudTrail log metric filters. This change will offer a shift towards organization-level CloudTrail configurations, enabling enhanced security and manageability for your resources.
Please be aware that the existing rules will be deprecated in the following bundles:
AWS FTR version 1.0.0
CIS Benchmark from version 1.1.0 to 1.5.0
Organization Rules
S3 Best Practice version 1.0 and version 1.1
Stax Foundation Compliance version 1.0
The deprecated rules are as follows:
Ensure a log metric filter and alarm exist for AWS Config configuration changes,
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures,
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA,
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL),
Ensure a log metric filter and alarm exist for changes to network gateways,
Ensure a log metric filter and alarm exist for CloudTrail configuration changes,
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs,
Ensure a log metric filter and alarm exist for IAM policy changes,
Ensure a log metric filter and alarm exist for route table changes,
Ensure a log metric filter and alarm exist for S3 bucket policy changes,
Ensure a log metric filter and alarm exist for security group changes,
Ensure a log metric filter and alarm exist for unauthorized API calls,
Ensure a log metric filter and alarm exist for usage of root user credentials,
Ensure a log metric filter and alarm exist for VPC changes
The newly introduced rules will take their place with the following rule names respectively:
CloudTrail should have a log metric filter for AWS Config changes,
CloudTrail should have a log metric filter for Console authentication failures,
CloudTrail should have a log metric filter for Console sign-in without MFA,
CloudTrail should have a log metric filter for NACL changes,
CloudTrail should have a log metric filter for Network Gateway changes,
CloudTrail should have a log metric filter for CloudTrail configuration changes,
CloudTrail should have a log metric filter for scheduled deletion of customer-created CMKs,
CloudTrail should have a log metric filter for IAM policy changes,
CloudTrail should have a log metric filter for route table changes,
CloudTrail should have a log metric filter for s3 bucket policy changes,
CloudTrail should have a log metric filter for security group changes,
CloudTrail should have a log metric filter for unauthorized API calls,
CloudTrail should have a log metric filter for root user credentials,
CloudTrail should have a log metric filter for VPC changes
Please note that the check history for the deprecated rules will not be kept.
If you have any questions about this change and what it means for you, please contact support.