104 posts tagged with "Changed"

To support the use of IAM Access Analyzer policy generation, changes are being introduced to the way Stax configures certain policies in AWS, as summarised below. These changes are not expected to cause any operational impact, however some security tools may make a note of their alteration.

On 6 February 2025 at 2200 UTC (Friday, 7 February 9:00 AM AEDT), these changes will commence rolling out across Stax-managed AWS Organizations. The rollout is expected to complete within 3 hours, complete by 7 February 2025 at 0100 UTC.

• The Stax-managed CloudTrail S3 bucket now disables ACLs to align with AWS's S3 recommendedations and bucket defaults
• An additional statement is added to the CloudTrail S3 Bucket Policy to allow read access to the CloudTrail bucket for the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• An additional statement is added to the CloudTrail KMS Key Policy to allow decryption by the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• A new role named /service-role/AccessAnalyzerMonitorServiceRole_stax is added to each Stax-managed AWS Account for use by IAM Access Analyzer Policy generation

For more information about the Stax configuration, see Using IAM Access Analyzer Policy Generation with Stax.

Please raise a support case or contact your Customer Success Manager if you have any questions.

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. As part of our ongoing evergreen initiative, the existing roles used by Stax Assurance and its associated components will be refined to improve security and consistency.

To support this activity, changes will be made to the Stax-managed Service Control Policies for Global Protection in Stax-managed AWS Organizations, and new IAM roles will be created under the /stax path in Stax-managed accounts.

These actions will take place throughout February 2025. There is no expected interruption to service as a result of these changes.

Version 1.5.2 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• Updated dependencies and security patches
• Internal tooling improvements

To improve the performance of Stax Workloads deployment and update operations, concurrency capacity for these operations has been increased by 200%.

Organizations utilizing Workloads should now find that bulk Workloads operations complete more quickly.

Version 1.5.0 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• simplified the OAuth 2.0 device authorization implementation

  • support added for native OAuth 2.0 device authorization grant
  • support for custom Stax device flow authorization grant removed

• updated dependencies and security patches

As announced on 17 January 2024, Stax has implemented a change in Stax-managed AWS Config to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region only.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions.

Importantly, this change will not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that recording of global resources is only required in one region. For more details, refer to the CIS AWS Benchmark.

Impact of change

• Customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.

• Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides:

- AWS Config Rules and Global Resource Types

- Security Hub controls that you might want to disable

On 23 January 2024, Stax will implement a change to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions. Additionally, this change may help customers in reducing their AWS Config costs.

Importantly, this change does not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that including global resources related to IAM resources is required in only one region. For more details, refer to the CIS AWS Benchmark.

Impact of change

• After the change, customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.
• Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides: - AWS Config Rules and Global Resource Types - Security Hub controls that you might want to disable

A number of Rule names have been updated to improve usability and standardize rule names across all Rule Bundles. To find out more, visit the Stax Compliance module guide.

As part of our ongoing maintenance and improvement of rules and rule bundles, we are updating rules related to AWS CloudTrail log metric filters. This change will offer a shift towards organization-level CloudTrail configurations, enabling enhanced security and manageability for your resources.

Please be aware that the existing rules will be deprecated in the following bundles:

• AWS FTR version 1.0.0

• CIS Benchmark from version 1.1.0 to 1.5.0

• Organization Rules

• S3 Best Practice version 1.0 and version 1.1

• Stax Foundation Compliance version 1.0

The deprecated rules are as follows:

• Ensure a log metric filter and alarm exist for AWS Config configuration changes,

• Ensure a log metric filter and alarm exist for AWS Management Console authentication failures,

• Ensure a log metric filter and alarm exist for Management Console sign-in without MFA,

• Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL),

• Ensure a log metric filter and alarm exist for changes to network gateways,

• Ensure a log metric filter and alarm exist for CloudTrail configuration changes,

• Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs,

• Ensure a log metric filter and alarm exist for IAM policy changes,

• Ensure a log metric filter and alarm exist for route table changes,

• Ensure a log metric filter and alarm exist for S3 bucket policy changes,

• Ensure a log metric filter and alarm exist for security group changes,

• Ensure a log metric filter and alarm exist for unauthorized API calls,

• Ensure a log metric filter and alarm exist for usage of root user credentials,

• Ensure a log metric filter and alarm exist for VPC changes

The newly introduced rules will take their place with the following rule names respectively:

• CloudTrail should have a log metric filter for AWS Config changes,

• CloudTrail should have a log metric filter for Console authentication failures,

• CloudTrail should have a log metric filter for Console sign-in without MFA,

• CloudTrail should have a log metric filter for NACL changes,

• CloudTrail should have a log metric filter for Network Gateway changes,

• CloudTrail should have a log metric filter for CloudTrail configuration changes,

• CloudTrail should have a log metric filter for scheduled deletion of customer-created CMKs,

• CloudTrail should have a log metric filter for IAM policy changes,

• CloudTrail should have a log metric filter for route table changes,

• CloudTrail should have a log metric filter for s3 bucket policy changes,

• CloudTrail should have a log metric filter for security group changes,

• CloudTrail should have a log metric filter for unauthorized API calls,

• CloudTrail should have a log metric filter for root user credentials,

• CloudTrail should have a log metric filter for VPC changes

Please note that the check history for the deprecated rules will not be kept.

If you have any questions about this change and what it means for you, please contact support.

Stax has released a new version of the Cost & Compliance module's service and billing roles, version 33. The following permissions have been added to the roles:

• backup:Describe*

• backup:Get*

• backup:List*

• cloudtrail:List*

• waf-regional:Get*

• waf-regional:List*

If your AWS accounts are Stax-managed, then you don't need to take any action. Stax will automatically update this role in the coming days.

If you're subscribed only to the Stax Cost & Compliance module, you will need to apply the update yourself.

For any questions about this change, or if you need assistance deploying the updated role, please raise a support case.