111 posts tagged with "Changed"

Version 1.5.4 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• Windows binaries are now signed
• Updated dependencies and security patches

Stax is updating its existing implementation of the AWS S3 Block Public Access functionality.

Currently Stax will enable the AWS account level setting to Block Public Access in each of your Stax-managed AWS Accounts.

Going forward Stax will apply this protection using the recently announced organization-level enforcement with an Organization S3 Policy.

You can read more about the AWS Announcement here.

Stax will now automatically create a new empty Organization S3 Policy named stax-managed-policy within your AWS Organization. This S3 Policy will be automatically attached to the Root of the AWS Organization. When you enable this protection Stax will set the public_access_block_configuration to all.

For more information on eanbling this, refer to the documentation on Configure AWS Accounts.

If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.

Stax is adding additional write permissions to the S3 Bucket Policy of the AWS CloudTrail stax-assurance-cloudtrail S3 logging destination. These additional permissions will allow you to leverage the existing Customer managed AWS KMS key and Trail log bucket for additional CloudTrail Trails for the purpose of capturing highly configurable Data events.

Please see AWS CloudTrail for additional details and configuration steps.

On Tuesday 7th October 2025, Stax will be removing legacy resources in your Stax-managed AWS Accounts that exist to meet earlier version of the CIS AWS Foundations Benchmark.

New resources will be deployed that make use of AWS Organization features to centralize these recommendations to the Management and Security AWS Accounts.

These changes are aimed to reduce the time taken to perform Stax Assurance and reduce the number of Stax-managed resources in your AWS Accounts. This will in turn result in a decrease in cost for your AWS Accounts.

A new SNS Topic named stax-cis-benchmark will be created in the Security account. All CIS recommendations will be forwarding their alarm state to this SNS Topic.

If you are currently subscribed to the existing decentralized stax-assurance-cis-benchmark-EventIngestTopic SNS Topics in each AWS account, you must create a new subscription to the new topic.

You can read more about how Stax and the CIS AWS Foundations Benchmark work together.

If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.

Stax currently configures your AWS Accounts to automatically disable unused IAM credentials after 90 days to comply with a previous version of the CIS AWS Foundation Benchmark.

To meet newer versions of the CIS AWS Foundation Benchmark and other frameworks Stax will be lowering the current 90 days to 45 days. You can read more about this at IAM Control and the docs.

This change will be automatically deployed to all AWS Accounts on the 17th September 2025.

If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. To improve security and consistency, the existing roles used by Stax Assurance and its associated components will be replaced with new roles with fine-grained permissions.

There new roles will be prefixed with the IAM Path /stax/automation/ and have been added to the list of Stax Management Roles.

As a precaution both the existing and new roles will co-exist for a transition period, after which the existing roles will be removed from AWS Accounts. There is no expected interruption to service as a result of these changes.

This change will occur commencing 2025-08-05 and is expected to be completed by the end of the week on 2025-08-15.

The Activity Feed on the Stax Organization page has been enhanced to include additional context and information, including Tasks activity. The feed now also supports filtering and pagination, and is accessible via the API.

Visit Activity Feed in the docs to learn more.

To support the use of IAM Access Analyzer policy generation, changes are being introduced to the way Stax configures certain policies in AWS, as summarised below. These changes are not expected to cause any operational impact, however some security tools may make a note of their alteration.

On 6 February 2025 at 2200 UTC (Friday, 7 February 9:00 AM AEDT), these changes will commence rolling out across Stax-managed AWS Organizations. The rollout is expected to complete within 3 hours, complete by 7 February 2025 at 0100 UTC.

• The Stax-managed CloudTrail S3 bucket now disables ACLs to align with AWS's S3 recommendedations and bucket defaults
• An additional statement is added to the CloudTrail S3 Bucket Policy to allow read access to the CloudTrail bucket for the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• An additional statement is added to the CloudTrail KMS Key Policy to allow decryption by the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• A new role named /service-role/AccessAnalyzerMonitorServiceRole_stax is added to each Stax-managed AWS Account for use by IAM Access Analyzer Policy generation

For more information about the Stax configuration, see Using IAM Access Analyzer Policy Generation with Stax.

Please raise a support case or contact your Customer Success Manager if you have any questions.

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. As part of our ongoing evergreen initiative, the existing roles used by Stax Assurance and its associated components will be refined to improve security and consistency.

To support this activity, changes will be made to the Stax-managed Service Control Policies for Global Protection in Stax-managed AWS Organizations, and new IAM roles will be created under the /stax path in Stax-managed accounts.

These actions will take place throughout February 2025. There is no expected interruption to service as a result of these changes.

Version 1.5.2 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• Updated dependencies and security patches
• Internal tooling improvements