Fixes
View All Tags
A fix has been applied to the Rule DynamoDB point-in-time recovery is enabled which was causing the control to incorrectly evaluate all DynamoDB resources as non-compliant. Following the fix, the Rule now accurately assesses resources as compliant when point-in-time recovery is enabled on DynamoDB tables.
The Rule EC2 launch type container task definitions should specify a user that is not root has been updated to ECS task definitions should specify a user that is not root. This adjustment enhances the accuracy of the control's name. This updated rule is featured in the Organization and ACSC Essential 8 v1.0 Rule Bundles.
As announced on 04 September 2023, Stax has released a fix for an issue resulting in some out-of-date RI recommendations being collected from AWS member accounts.
Stax has released a change to only show RI recommendations that are less than 30 days old making the current recommendations and savings opportunities more accurate. Customers may notice a decrease in the **Total Potential Yearly Saving **and a reduction in the number of savings opportunities displayed.
This change does not impact RI recommendations generated by Stax within the AWS management account which are scoped to all accounts in the organization's consolidated billing family. These recommendations cover both the management account and member accounts and are refreshed daily.
On 11 September 2023, Stax will be releasing a change to remediate an issue impacting Reserved Instance (RI) recommendations shown within the Reserved Instances tab on the Savings Plans & RIs page. This issue is resulting in some out-of-date RI recommendations being collected from AWS member accounts.
After the change, Stax will only show RI recommendations that are less than 30 days old making the current recommendations and savings opportunities more accurate. Customers may notice a decrease in the **Total Potential Yearly Saving **and a reduction in the number of savings opportunities displayed.
This change does not impact RI recommendations generated by Stax within the AWS management account which are scoped to all accounts in the organization's consolidated billing family. These recommendations cover both the management account and member accounts and are refreshed daily.
The "Unused Amazon EC2 security groups should be removed" rule is available to help organizations manage their use of security groups.
On 27 June 2023, a fix will be released to correct the outdated logic of this rule which may impact related compliance scores.
The following bundles will be affected:
EC2 Best Practices (version 1.0)
APRA (versions 1.0, 1.1)
The custom organization-level rule, if in use
These changes will be applied automatically by Stax. There will be no impact to service expected as a result of this update.
If you have any questions about this change and what it means for you, please contact support.
As announced on 09 May 2023, a change has been released for the listed Rules that check if object-level logging is enabled for S3 buckets.
This Rule will now detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.
| Bundle Name | Rule Name |
|---|---|
| Organization Bundle/catalog | Ensure that Object-level logging for write events is enabled for S3 bucket Ensure that Object-level logging for read events is enabled for S3 bucket |
| CIS Benchmark v1.3.0, v1.4.0 & v1.5.0 | CIS 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket CIS 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket |
By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.
As announced on 3 May 2023, a fix has been released to remediate an issue impacting several Rules that verify if RDS instances are publicly accessible.
Before the change, the Rules incorrectly marked RDS databases as public if the RDS instances were in a VPC subnet with a default route CIDR block of 0.0.0.0/0. This check was invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.
The Rule will now pass if the RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target. This change may have impacted the compliance score of the listed rules.
| Bundle | Rule Name |
|---|---|
| CIS Benchmark Version 1.5.0 | CIS 2.3.3 - Ensure that public access is not given to RDS Instances |
| Organization Rules/Rule Catalog | RDS instances in a subnet should not have internet access |
| APRA Version 1.0 | RDS instances should not exist in public subnets This rule has been renamed to: RDS instances in a subnet should not have internet access |
| RDS Best Practice Version 1.0 | RDS instances in a subnet should not have internet access |
On 15 May 2023, a change will be released for the listed Rules that check if object-level logging is enabled for S3 buckets.
Currently, S3 buckets in Stax-managed member accounts will fail the check even when the required CloudTrail S3 data event logging is enabled, because Stax follows AWS best practices and configures CloudTrail at the Organization-level, not within every individual member account.
After the change, this Rule will detect when S3 data event logging is enabled on CloudTrail trails configured in member accounts as well as when configured on Organization-level CloudTrail trails.
| Bundle Name | Rule Name |
|---|---|
| Organization Bundle/catalog | Ensure that Object-level logging for write events is enabled for S3 bucket Ensure that Object-level logging for read events is enabled for S3 bucket |
| CIS Benchmark v1.3.0, v1.4.0 & v1.5.0 | CIS 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket CIS 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket |
By default, Stax does not configure S3 object-level logging for Stax-managed accounts. An S3 bucket with a high workload could quickly generate thousands of logs in a short amount of time, resulting in increased AWS costs. Find out more about Enabling CloudTrail event logging for S3 buckets and objects.
On 10 May 2023, a fix will be released for Rules that check that RDS instances are publicly accessible via a VPC.
Currently, the listed Rules include a check that incorrectly marks an RDS database as public if the RDS instance in a VPC subnet has a default route CIDR block of 0.0.0.0/0. This check is invalid because the default route must also be configured with an internet gateway as the target to be publicly accessible.
| Bundle Name | Rule |
|---|---|
| CIS Benchmark Version 1.5.0 | CIS 2.3.3 - Ensure that public access is not given to RDS Instances This Rule also checks if the Publicly Accessible flag is disabled. |
| Organization Rules/Rule Catalog | Ensure that public access is not given to RDS Instance via VPC This Rule also checks if the RDS Instance Public Accessible setting is disabled RDS instances in a subnet should not have internet access |
| APRA Version 1.0 | RDS instances should not exist in public subnets |
| RDS Best Practice Version 1.0 | RDS instances in a subnet should not have internet access |
After the change, these Rules will pass if the below** condition is met:**
The RDS instance subnet does not allow public egress via a default route (CIDR block of 0.0.0.0/0) with an internet gateway as the target.
This change may impact the compliance score of the impacted rules.
The Rule*** RDS instances should be running the latest available major version ***has been renamed to ***Rule RDS instances should be running the latest available major and minor version. ***This change makes the rule name more descriptive and clarifies that the rule validates that RDS instances are running both the latest major and minor available release.