Added
View All Tags
The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 Rule Bundle is now available in private preview. This Bundle is designed to help organizations maintain the security of cardholder data and protect against fraudulent activities.
The preview Bundle version provides access to a subset of the full set of Rules and guidelines that will be included in the final release. Read more here.
It's now possible to discover AWS accounts in your AWS organization that are not yet managed by Stax within the Stax Console. See the documentation on how to run account discovery*.*
Stax has introduced support for the Center for Internet Security's Amazon Web Services Foundations Benchmark version 1.5.0. This introduces the following changes over the previous iteration, version 1.4.0:
Three new rules were added to the Benchmark:
2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
2.3.3 Ensure that public access is not given to RDS Instance
2.4.1 Ensure that encryption is enabled for EFS file systems
4.16 Ensure AWS Security Hub is enabled
5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports
One rule has been changed:
3.8 Ensure rotation for customer created symmetric CMKs is enabled
The Rule Bundle cannot validate all components of the Benchmark, so the following items must be evaluated manually:
1.1: Maintain current contact details
1.2: Ensure security contact information is registered
1.3: Ensure security questions are registered in the AWS account
1.18: Ensure IAM instance roles are used for AWS resource access from instances
1.21: Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
2.1.4: Ensure all data in Amazon S3 has been discovered, classified and secured when required
5.4: Ensure routing tables for VPC peering are "least access"
To enable this new version of the Bundle, see Keep Bundles Up To Date. If you have automatic updates enabled on the CIS Benchmark Bundle, Stax will automatically update you to version 1.5.0.
SCIM is now supported for organizations using Azure AD. See the step-by-step instructions on how to configure your Azure AD instance to sync users and groups into Stax.
As part of the improvements to the creation and scheduling of tasks with the Tasks API, a new OperationStatusof CREATEDhas been added to the API. Read more.
As part of the release of Stax-managed Security Hub a new rule, Security Hub should be enabled for all regions in an account, has been added to the Stax Foundation Compliance Rule Bundle to help you follow recommended best practices.
This compliance score is displayed on the Accounts page. If you've noticed a drop in this score, this may indicate that AWS Security Hub is not configured in that account.
To easily remediate this, configure Stax-managed Security Hub to enable the service across all accounts and supported regions.
Stax has released Stax-managed Security Hub which gives you the ability to configure AWS Security Hub and its prepackaged standards for all accounts in your AWS Organization within all supported regions.
See Using Stax-managed Security Hub for details on how to enable it.
The Stax Foundation Compliance Rule Bundle is a collection of AWS Well-Architected, CIS AWS Foundations Benchmark and Stax best-practice security controls, which helps you to track the safety and security of your accounts. It helps you to assess the compliance of your AWS accounts against enterprise-grade security controls that are applied to Stax-managed resources by default.
For organizations whose AWS accounts are Stax-managed, this Rule Bundle is already enabled. For organizations who are subscribed only to the Cost & Compliance module, head to the Rules Bundle page within the Stax Console to active the Stax Foundation Compliance Rule Bundle.
The Data page now includes additional AWS Fargate cost data allowing you to differentiate between on-demand and spot usage of Fargate.
On the Data page, filter by AWS Service: Fargate to see the usage codes (cpu_usage, memory_usage, and data_storage) split by on-demand or spot Payment Option Code.
The Wastage feature in the Cost module now supports the Memory % Committed Bytes In Use AWS CloudWatch Agent memory metric when evaluating utilization of EC2 Windows instances. Read more.