107 posts tagged with "Changed"

As per item 2.8 of the CIS AWS Foundations Benchmark, all Customer Master Keys (CMKs) created by the Stax platform in customer AWS accounts now have automatic yearly rotation enabled.

This change does not impact CMKs created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

This change applies to the following CMKs in your AWS accounts:

• spotlight-etl-sns

• stax-alarm-sns-key

More info​

Below is an excerpt from the CIS AWS Foundations Benchmark document that provides some more context around this recommendation:

2.8 Ensure rotation for customer created CMKs is enabled

AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK keyrotation be enabled.

As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have enforced encryption of data in transit using HTTPS (TLS).

This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

This change applies to the following legacy S3 buckets in your AWS Accounts:

• juma-cloudtrail-*

• juma-cloudtrail-master-accesslogbucket-*

• juma-cloudtrail-master-jumaaccesslogbucket-*

• juma-jumatrail-*

• juma-config-*

• juma-session-manager-*

The following legacy S3 buckets will be removed in your AWS Accounts:

• stax-billing-*

• stax-billing-accesslogs-*

• juma-billing-*

Please note: The legacy S3 buckets that are removed contain only outdated billing information. These buckets have not been in use since February 2020 and as such no impact is expected by this removal. The best way to access your billing information is with Stax's Cost & Compliance module.

As per AWS best practices, all SNS topics created by the Stax platform in customer AWS Accounts have encryption enabled using KMS. One unused SNS Topic has been removed from accounts.

• Changed: Encrypted stax-assurance-cis-benchmark-EventIngestTopic topic in all accounts

• Changed: Encrypted staxtrail-<org-id> topic in logging account

• Changed: Encrypted cloudtrail-<org-id> topic in logging account

• Changed: Encrypted stax-assurance-event-processor-EventIngestTopic topic in security account

• Removed: stax-config-<org-id> topic in logging account, as it was not used

If you have your own sources publishing messages to these topics, you will need to configure the source with the right permissions to be able to continue publishing to the topic. For more information on this,see publishing to encrypted topics.

As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have enforced encryption of data in transit using HTTPS (TLS).

This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

This change applies to the following S3 buckets in your AWS Accounts:

• stax-cloudtrail-<org-id>

• stax-cloudtrail-accesslogs-<org-id>

• stax-staxtrail-<org-id>

• stax-staxtrail-accesslogs-<org-id>

• stax-config-<org-id>

• stax-config-accesslogs-<org-id>

• stax-billing-<org-id>

• stax-billing-accesslogs-<org-id>

• stax-session-manager-<org-id>

• stax-idam-waflogs-<account-id>

Stax has made it easier to attach and detach Stax Policies to/from your Stax Account Types using the Stax API.

Changed Error Code when validating Account Type or Policy​

If you attempt to attach a Policy to an Account Type and the Account Type or Policy does not already exist, the API will return a 404 (Not Found) response, instead of a generic 400 (Bad Request) response.

Added validation for attaching and detaching policies​

When you attach or detact a Policy to/from an Account Type, the Stax API will now verify if the Policy is already attached or detached. An error will be returned if this occurs.

Added validation for Stax Policies limits​

Only four Stax Policies can be attached to any specific Account Type. If you attempt to attach Policies that would exceed this limit, the API will now validate that and reject the request.

As per AWS best practices, all S3 buckets created by the Stax platform in customer AWS Accounts will have versioning enabled. This applies to both existing buckets and new buckets. This change will be progressively rolled out to all customers over the coming days.

This change does not impact buckets created by Stax customers either within the AWS Console/SDK/API, or via the Stax Workloads service.

The Users page has been updated to provide a richer and more seamless user experience. Updates to the page include filtering, which allows you to filter by a combination of Status, Role or Corporate ID, and additional messaging for managing federated users.

For more information about Users, head to the documentation.