When setting budgets that leverage your Views, you can now sort the budget table by segment name and download the budget data to CSV. Find out more here.

As part of Stax Assurance, Amazon GuardDuty is configured for Stax-managed AWS Organizations. In an upcoming release of Stax, advanced configuration of GuardDuty will be possible via the Stax Console and API.

There are several considerations for organizations with GuardDuty configuration in place beyond what Stax configures as part of Stax Assurance. Read Configure Amazon GuardDuty within Stax for more information. Contact your Customer Success Manager if you have any questions regarding this upcoming release.

Default subscription preferences have changed for new users invited to Stax. After joining Stax, new users will now only be subscribed to the Weekly Summary, Wastage Report and New Rule Releases notification types. Users can then manage their notifications and make changes to their preferences.

As announced on 3 May 2023, a fix has been released to remediate an issue impacting several Rules that verify if RDS instances are publicly accessible.

Before the change, the Rules incorrectly marked RDS databases as public if the RDS instances were in a VPC subnet with a default route CIDR block of 0.0.0.0/0. This check was invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.

The Rule will now pass if the RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target. This change may have impacted the compliance score of the listed rules.

On 15 May 2023, a change will be released for the listed Rules that check if object-level logging is enabled for S3 buckets.

Currently, S3 buckets in Stax-managed member accounts will fail the check even when the required CloudTrail S3 data event logging is enabled, because Stax follows AWS best practices and configures CloudTrail at the Organization-level, not within every individual member account.

After the change, this Rule will detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.

By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.

As announced on 19th April 2023, the GET /20190206/groups/{group_id} route now returns a 404 HTTP status code if the group_id provided has the status of DELETED or does not exist.

Previously, the archived record would be returned for a deleted group and "Groups": [] would be returned if the group did not exist.

As announced on 6th April 2023, the following changes were made to the GET /20190206/users API route:

1. This route no longer returns API tokens. The GET /20190206/api-tokens route should be used instead

2. This route no longer returns DELETED users by default. The previous behavior was to return all users regardless of their status. To get a list of deleted users, you will need to explicitly request it with the status_filter query string, e.g. /users?status_filter=DELETED

3. The GET /20190206/users/{user_id} route now returns a 404 HTTP status code if the user_id provided has the status of DELETED. Previously, this would return the archived record

On 10 May 2023, a fix will be released for Rules that check that RDS instances are publicly accessible via a VPC.

Currently, the listed Rules include a check that incorrectly marks an RDS database as public if the RDS instance in a VPC subnet has a default route CIDR block of 0.0.0.0/0. This check is invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.

After the change, these Rules will pass if the below** condition is met:**

• The RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target.

This change may impact the compliance score of the impacted rules.

The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 Rule Bundle is now available to all organizations. This Bundle is designed to help customers maintain the security of cardholder data and protect against fraudulent activities.

The new PCI DSS Rule Bundle includes over 40 controls across 17 AWS services and 17 new rules.

Add the Bundle to Stax to get going. Once added, Stax will perform an initial evaluation and populate the Rules page with new results. You can filter the page to show only results from the PCI DSS if preferred. Read more about the Stax PCI DSS Rule Bundle here.  Alternatively, to add the new rules to your Organization Rule Bundle, head to the Rules Catalog page.

The Rule*** S3 enforces object encryptionhas been renamed to *** ***Ensure all S3 buckets employ server-side encryption-at-rest, ***in the S3 Best Practices and Organization bundles. This change helps to align the rule name across different bundles making it easier for customers to search for this rule across bundles.

It's important to note that the name of the rule has not been changed in the CIS Benchmark bundle to align with the standard's specification.