106 posts tagged with "Changed"

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. To improve security and consistency, the existing roles used by Stax Assurance and its associated components will be replaced with new roles with fine-grained permissions.

There new roles will be prefixed with the IAM Path /stax/automation/ and have been added to the list of Stax Management Roles.

As a precaution both the existing and new roles will co-exist for a transition period, after which the existing roles will be removed from AWS Accounts. There is no expected interruption to service as a result of these changes.

This change will occur commencing 2025-08-05 and is expected to be completed by the end of the week on 2025-08-15.

The Activity Feed on the Stax Organization page has been enhanced to include additional context and information, including Tasks activity. The feed now also supports filtering and pagination, and is accessible via the API.

Visit Activity Feed in the docs to learn more.

To support the use of IAM Access Analyzer policy generation, changes are being introduced to the way Stax configures certain policies in AWS, as summarised below. These changes are not expected to cause any operational impact, however some security tools may make a note of their alteration.

On 6 February 2025 at 2200 UTC (Friday, 7 February 9:00 AM AEDT), these changes will commence rolling out across Stax-managed AWS Organizations. The rollout is expected to complete within 3 hours, complete by 7 February 2025 at 0100 UTC.

• The Stax-managed CloudTrail S3 bucket now disables ACLs to align with AWS's S3 recommendedations and bucket defaults
• An additional statement is added to the CloudTrail S3 Bucket Policy to allow read access to the CloudTrail bucket for the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• An additional statement is added to the CloudTrail KMS Key Policy to allow decryption by the /service-role/AccessAnalyzerMonitorServiceRole* IAM role pattern
• A new role named /service-role/AccessAnalyzerMonitorServiceRole_stax is added to each Stax-managed AWS Account for use by IAM Access Analyzer Policy generation

For more information about the Stax configuration, see Using IAM Access Analyzer Policy Generation with Stax.

Please raise a support case or contact your Customer Success Manager if you have any questions.

Stax uses IAM role assumption to access and manage accounts within Stax-managed AWS Organizations. As part of our ongoing evergreen initiative, the existing roles used by Stax Assurance and its associated components will be refined to improve security and consistency.

To support this activity, changes will be made to the Stax-managed Service Control Policies for Global Protection in Stax-managed AWS Organizations, and new IAM roles will be created under the /stax path in Stax-managed accounts.

These actions will take place throughout February 2025. There is no expected interruption to service as a result of these changes.

Version 1.5.2 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• Updated dependencies and security patches
• Internal tooling improvements

To improve the performance of Stax Workloads deployment and update operations, concurrency capacity for these operations has been increased by 200%.

Organizations utilizing Workloads should now find that bulk Workloads operations complete more quickly.

Version 1.5.0 of stax2aws has been released. See how to upgrade stax2aws.

Changes:

• simplified the OAuth 2.0 device authorization implementation

  • support added for native OAuth 2.0 device authorization grant
  • support for custom Stax device flow authorization grant removed

• updated dependencies and security patches

As announced on 17 January 2024, Stax has implemented a change in Stax-managed AWS Config to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region only.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions.

Importantly, this change will not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that recording of global resources is only required in one region. For more details, refer to the CIS AWS Benchmark.

Impact of change

• Customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.

• Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides:

- AWS Config Rules and Global Resource Types

- Security Hub controls that you might want to disable

On 23 January 2024, Stax will implement a change to restrict the recording of global resources, such as IAM users, groups, roles, and customer-managed policies, to your Stax Installation Region.

This change aligns with AWS Config best practices recommending the recording of global resources in a single region to prevent redundant copies of IAM configuration items across all regions. Additionally, this change may help customers in reducing their AWS Config costs.

Importantly, this change does not affect customer compliance with the CIS AWS Foundations Benchmark v1.2.0 and later control - “Ensure AWS Config is enabled in all regions”. The CIS AWS Benchmark’s Audit procedure specifies that including global resources related to IAM resources is required in only one region. For more details, refer to the CIS AWS Benchmark.

Impact of change

• After the change, customers can expect a reduction in the number of redundant copies of IAM configuration items stored in every region.
• Customers using the CIS AWS Foundations Benchmark v1.2.0 and v1.4.0 in AWS Security Hub may observe a change in the compliance status of control: [Config.1] AWS Config should be enabled. This adjustment is attributed to the rule mandating the recording of global resources in all regions. For more information and guidance on suppressing findings for this control manually or through an automation rule, please visit the following AWS guides: - AWS Config Rules and Global Resource Types - Security Hub controls that you might want to disable

A number of Rule names have been updated to improve usability and standardize rule names across all Rule Bundles. To find out more, visit the Stax Compliance module guide.