Skip to main content

"Lambdas have a unique role" rule deprecation

Stax
Stax
Stax Team

The rule “Lambdas have a unique role” will be deprecated in a rules update in 7 days. This rule has been a part of the Stax compliance module for many years, and after careful consideration, we have decided that it no longer serves its intended purpose.

This rule was originally intended to ensure that AWS Lambdas — cloud computing functions — had a unique role within the environment. As cloud computing and serverless functions have evolved, we have determined that this rule does not provide additional security and is no longer necessary.

This rule is only part of the Stax rule catalog, and is not used as part of any compliance or best practice rule bundles.

Organization-level CloudTrail configuration supported for object-level logging for S3 buckets Rules

Stax
Stax
Stax Team

As announced on 09 May 2023, a change has been released for the listed Rules that check if object-level logging is enabled for S3 buckets.

This Rule will now detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.

Bundle NameRule Name
Organization Bundle/catalogEnsure that Object-level logging for write events is enabled for S3 bucket

Ensure that Object-level logging for read events is enabled for S3 bucket
CIS Benchmark v1.3.0, v1.4.0 & v1.5.0CIS 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
CIS 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket

By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.

Export View Budget Data to CSV

Stax
Stax
Stax Team

When setting budgets that leverage your Views, you can now sort the budget table by segment name and download the budget data to CSV. Find out more here.

Stax-managed GuardDuty Notice

Stax
Stax
Stax Team

As part of Stax Assurance, Amazon GuardDuty is configured for Stax-managed AWS Organizations. In an upcoming release of Stax, advanced configuration of GuardDuty will be possible via the Stax Console and API.

There are several considerations for organizations with GuardDuty configuration in place beyond what Stax configures as part of Stax Assurance. Read Configure Amazon GuardDuty within Stax for more information. Contact your Customer Success Manager if you have any questions regarding this upcoming release.

Changes to Rule - Ensure that public access is not given to RDS Instance

Stax
Stax
Stax Team

As announced on 3 May 2023, a fix has been released to remediate an issue impacting several Rules that verify if RDS instances are publicly accessible.

Before the change, the Rules incorrectly marked RDS databases as public if the RDS instances were in a VPC subnet with a default route CIDR block of 0.0.0.0/0. This check was invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.

The Rule will now pass if the RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target. This change may have impacted the compliance score of the listed rules.

BundleRule Name
CIS Benchmark Version 1.5.0
CIS 2.3.3 - Ensure that public access is not given to RDS Instances
Organization Rules/Rule CatalogRDS instances in a subnet should not have internet access
APRA Version 1.0RDS instances should not exist in public subnets

This rule has been renamed to:
RDS instances in a subnet should not have internet access
RDS Best Practice Version 1.0RDS instances in a subnet should not have internet access