41 posts tagged with "Fix"

Stax has released a fix to the following rules to remediate an issue resulting in access keys being incorrectly evaluated. This issue only affected the evaluation of credentials for IAM users with multiple access keys. This change may impact the compliance score of these rules.

On 21 March 2023, Stax will be releasing a fix to the following rules to remediate an issue resulting in access keys being incorrectly evaluated. This issue only affected the evaluation of credentials for IAM users with multiple access keys. This change may impact the compliance score of these rules.

Stax has released a change to the rule EC2 instances do not use termination protection in the EC2 Best Practice Rule Bundle.*** ***EC2 instances managed by an auto-scaling group will now be ignored by this rule as their creation and termination is managed automatically by this AWS service.

From today, organizations with this rule enabled, who are using EC2 Auto Scaling groups, can expect to see a decrease in the number of resources failing this rule and an increase in the overall compliance result of the rule.

On 27 February 2023, Stax will be making a change to the rule EC2 instances do not use termination protection in the EC2 Best Practice Rule Bundle which could impact the compliance score of this rule***. ***After this date, EC2 instances managed by an auto-scaling group will be ignored by this rule as their creation and termination is managed automatically by this AWS service.

Organizations with this rule enabled who are using EC2 Auto Scaling groups can expect to see a decrease in the number of resources failing this rule and an increase in the overall compliance result of the rule.

A fix has been released to Rule CIS 1.12 - Ensure access keys are rotated every 90/45 days or less to remediate an issue resulting in access keys being incorrectly evaluated as failing. This issue only affected the evaluation of credentials for IAM user with multiple access keys.

If you have any questions, please raise a support case.

An update has been released for Rule *CIS 5.1 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports.*This rule will now flag a Network ACL (NACL) as failing when any of the following conditions are met:

• There is a NACL rule allowing TCP traffic on SSH (port 22) to all hosts (0.0.0.0/0)

• There is a NACL rule allowing TCP traffic on RDP (port 3389) to all hosts (0.0.0.0/0)

• There is a NACL rule allowing all traffic on all ports to all hosts (Note: This will often be the case as this is also the default settings.)

Before the update, this rule evaluated that a NACL rule allowed TCP traffic on both an SSH and RDS port to all hosts. This change will impact customers with CIS Benchmark version 1.3.0 or 1.4.0 Rule Bundle enabled. Customers should expect a change in the compliance score of this rule.

Stax has released an update to the CIS Benchmark version 1.4.0 bundle to align with a change introduced to rule 1.12 in the CIS 1.4 Amazon Web Services Foundation Benchmark specification.

The following rule has been removed from the CIS Benchmark version 1.4.0 Rule Bundle:

• CIS 1.12 - Ensure access keys are rotated every 90 days or less

The following rule has been added to the CIS Benchmark version 1.4.0 Rule Bundle:

• CIS 1.12 - Ensure credentials unused for 45 days or greater are disabled

To avoid any loss of historical compliance data, Stax has automatically added the removed rule to your Organization Rules Bundle for customers that had CIS1.4 enabled. If you do not wish to keep the rule, you can remove it from your Organization Rules Bundle by following the process to Disable a Rule.

Stax has resolved an issue so that the Real-Time Rule Alerts feature ignores disabled Rules. Previously only individual resources which had been ignored within a rule were excluded from Real-Time Rule Alerts.

The Rule CloudFront distributions support insecure SSL protocols has been updated to evaluate that Amazon CloudFront distributions are configured with TLSv1.2 as the minimum protocol version. CloudFront distributions configured with insecure or deprecated security policies, such as TLS1.1, will now fail this rule.

To add this rule to your Organization Rule Bundle, head to the Rules Catalog page.

An update has been applied to the Stax Identity Service to improve its performance and reliability.

This update upgrades the Stax Identity Service Database's underlying software. This modernises and standardises the infrastructure in use across all of Stax's customers.

These changes have been applied automatically by Stax during the advertised maintenance window. There is no impact to service expected as a result of this upgrade. Should you experience any issues, please raise a support case.

To ensure you receive notice of upcoming changes to Stax, make sure you're subscribed to the status page.