On 15 May 2023, a change will be released for the listed Rules that check if object-level logging is enabled for S3 buckets.

Currently, S3 buckets in Stax-managed member accounts will fail the check even when the required CloudTrail S3 data event logging is enabled, because Stax follows AWS best practices and configures CloudTrail at the Organization-level, not within every individual member account.

After the change, this Rule will detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.

By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.

As announced on 19th April 2023, the GET /20190206/groups/{group_id} route now returns a 404 HTTP status code if the group_id provided has the status of DELETED or does not exist.

Previously, the archived record would be returned for a deleted group and "Groups": [] would be returned if the group did not exist.

As announced on 6th April 2023, the following changes were made to the GET /20190206/users API route:

1. This route no longer returns API tokens. The GET /20190206/api-tokens route should be used instead

2. This route no longer returns DELETED users by default. The previous behavior was to return all users regardless of their status. To get a list of deleted users, you will need to explicitly request it with the status_filter query string, e.g. /users?status_filter=DELETED

3. The GET /20190206/users/{user_id} route now returns a 404 HTTP status code if the user_id provided has the status of DELETED. Previously, this would return the archived record

On 10 May 2023, a fix will be released for Rules that check that RDS instances are publicly accessible via a VPC.

Currently, the listed Rules include a check that incorrectly marks an RDS database as public if the RDS instance in a VPC subnet has a default route CIDR block of 0.0.0.0/0. This check is invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.

After the change, these Rules will pass if the below** condition is met:**

• The RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target.

This change may impact the compliance score of the impacted rules.

The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 Rule Bundle is now available to all organizations. This Bundle is designed to help customers maintain the security of cardholder data and protect against fraudulent activities.

The new PCI DSS Rule Bundle includes over 40 controls across 17 AWS services and 17 new rules.

Add the Bundle to Stax to get going. Once added, Stax will perform an initial evaluation and populate the Rules page with new results. You can filter the page to show only results from the PCI DSS if preferred. Read more about the Stax PCI DSS Rule Bundle here.  Alternatively, to add the new rules to your Organization Rule Bundle, head to the Rules Catalog page.

The Rule*** S3 enforces object encryptionhas been renamed to *** ***Ensure all S3 buckets employ server-side encryption-at-rest, ***in the S3 Best Practices and Organization bundles. This change helps to align the rule name across different bundles making it easier for customers to search for this rule across bundles.

It's important to note that the name of the rule has not been changed in the CIS Benchmark bundle to align with the standard's specification.

The Compliance Summary Report which is available in Excel format, now includes the On this status since* data for every Rule's resources. The On this status sincefield ***can be found on the Rule Details page and represents the date and time in UTC when the resource's current status was detected.

To access the Compliance Summary Report, navigate to the Rules page and select the download icon on the top right of the page.

The Rule*** RDS instances should be running the latest available major version ***has been renamed to ***Rule RDS instances should be running the latest available major and minor version. ***This change makes the rule name more descriptive and clarifies that the rule validates that RDS instances are running both the latest major and minor available release.

Organizations with a resold account ownership model, now have access to Stax-managed Cost and Usage Reports (CUR) in S3, in both CSV and parquet formats. Find out more here.

On 1 May 2023 at 1300 UTC (2 May 2023 at 2300 AEST), the GET /20190206/groups/{group_id} route will return a 404 HTTP status code if the group_id provided has the status of DELETED or does not exist.

Previously, the archived record would be returned for a deleted group and "Groups": [] would be returned if the group did not exist.