Fixes
View All Tags
The Rules SQS queues have a dead letter queue, and SQS queues should have a dead-letter queue (DLQ), have been updated to ignore queues with a *Redrive Access Policy.*This change means that DLQs that have been configured with a Redrive Access Policy will be ignored and will no longer be evaluated as part of this rule.
To add this rule to your Organization Rule Bundle, head to the Rules Catalog page.
The Rule EC2 instances have IAM instance profiles in the EC2 Best Practice Rule Bundle (version 1.0) has been updated to ignore persisting recently terminated instances.
To add this rule to you Organization Rule Bundle, head to the Rules Catalog page.
A Stax-generated Event is created when an account is closed within Stax. The event schema can be found here. For more information about Stax-generated Events, please read the documentation.
A fix has been applied to the UserAuthenticationEvent Stax generated event to conform to the schema.
The value has changed from **"status": "Success" to ** "status": "SUCCESS".
For further information on Stax generated events, please see Stax Generated Events Schema.
An issue has been resolved where Permission Sets allowed the creation of a policy larger than that permitted by AWS. Attempted creation of invalid policies will now result in an error being returned.
An update has been applied to Stax Workloads to improve performance and reliability:
Fixed an issue where a Stax Workloads manifest would fail schema validation when using the ProtectedResources key.
These changes have been applied automatically by Stax. There is no impact to service expected as a result of this update. Should you experience any issues, please raise a support case.
An update has been applied to the Rules module to improve collection accuracy:
Fixed an issue with how Stax implements rule result collection in the Rules module, where resources were not being accurately matched against Rules. This was resulting in false negatives and false positives for a small number of resources.
These changes have been applied automatically by Stax. There is no impact to service expected as a result of this update. You may notice a small change in the number of resources accurately passing or failing.
Should you experience any issues, please raise a support case.
An update has been applied to Stax Workloads to improve performance and reliability:
Added a new default tag stax:organisation_alias to Workloads CloudFormation stacks
Fixed an issue where Stax Workloads could be deployed to Stax-managed AWS accounts that are not active. If the account is not active, the Workloads API will now return a 400 "Bad Request" response, along with an error payload detailing the error.
Fixed an issue where the Workloads Catalog could display a failed Catalog Version as the latest Catalog Version available for deployment. The Workloads Catalog will now only show the latest active Catalog Version, or null, if no active Catalog Versions are available. If trying to deploy a Workload Catalog with no latest version, the API will now return a 400 "Bad Request" response, along with an error payload detailing the error.
These changes have been applied automatically by Stax. There is no impact to service expected as a result of this update. Should you experience any issues, please raise a support case.
Stax is improving the way it helps you to manage unused IAM credentials in line with the CIS AWS Foundations Benchmark item 1.3 – Ensure credentials unused for 90 days or greater are disabled in your Stax-managed AWS accounts. A managed AWS Config Conformance Pack will be deployed into these accounts. This replaces the existing AWS Lambda function previously performing this task.
This Conformance Pack evaluates all IAM users' passwords and active IAM access keys. If a credential has been inactive for greater than 90 days, the remediation action will revoke those credentials. Specifically, the IAM user's password will be deleted, and active access keys will be disabled.
Previously, a bug existed in the AWS Lambda function performing this task which meant credentials that had never been used would not be deleted/disabled.
The Conformance Pack comprises the following AWS-managed Config Rule and associated remediation configuration:
Config Rule Identifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
Checks if your AWS Identity and Access Management (IAM) users have passwords or active access keys that have not been used within the specified number of days you provided
Remediation Configuration: AWSConfigRemediation-RevokeUnusedIAMUserCredentials
The AWSConfigRemediation-RevokeUnusedIAMUserCredentials runbook revokes unused AWS Identity and Access Management (IAM) passwords and active access keys. This runbook also deactivates expired access keys, and deletes expired login profiles. AWS Config must be enabled in the AWS Region where you run this automation
The Conformance Pack will be located in each Stax-managed AWS account, within the AWS Region of your Stax Installation. It will replace the existing AWS Lambda function, entitled stax-DisableUnusedCredentials, which will be deleted.
Once the Conformance Pack is deployed into an AWS account, it will trigger an evaluation of all IAM users in that account. Any non-compliant IAM users will be remediated immediately. This means that any unused passwords or access keys that have not been used for more than 90 days since creation will be deactivated immediately.
These changes will be implemented for Stax-managed AWS Organizations during the week beginning 20 September 2021. If you have any questions or concerns in advance of this, please contact your Customer Success Manager or raise a support case.
Stax has introduced changes to Stax Workloads API endpoints to improve support for pagination.
This makes it easier to deal with large volumes of Workloads and Workload Catalog Items when using the Stax API.
Fixed pagination on the Fetch Workloads API endpoint. This endpoint now correctly returns all matching results based on filters and accurately reports the correct total number of results: stax-au1 stax-us1 stax-eu1
Added pagination on the Fetch Catalog Items API endpoint. This endpoint now supports pagination in a consistent manner with the rest of the Workloads API endpoints: stax-au1 stax-us1 stax-eu1
These changes have been applied automatically by Stax. Should you experience any issues, please raise a support case.