Stax Assurance
The Stax Assurance process applies hardening to minimize security risks and vulnerabilities within your AWS accounts.
A central part of Stax Assurance is ensuring AWS accounts align to the CIS AWS Foundation Benchmark and the AWS Well-Architected Framework.
If you are onboarding existing AWS accounts, any existing configurations for the AWS services used as part of Assurance may be reconfigured to align with Stax controls. This ensures your resources operate in accordance with the CIS AWS Foundations Benchmark and the AWS Well-Architected Framework.
To see which AWS services that have been configured in your environment or see what settings are available, navigate to the Foundation Services page via the drop-down menu in the Stax console.
Stax-managed Foundation Services
As part of providing a secure and performant foundation, Stax configures your AWS accounts with the following AWS services:
- Amazon GuardDuty
- AWS Config
- AWS CloudTrail
- AWS Identity and Access Management (IAM) Access Analyzer
- AWS Security Hub
- AWS Firewall Manager
- AWS Compute Optimizer
- AWS Backup
Amazon GuardDuty
Amazon GuardDuty is a threat detection service that monitors for malicious or unauthorized behavior within your AWS accounts. It also detects compromised AWS resources.
As part of Stax’s well-architected foundation, Stax allows you to implement and manage Amazon GuardDuty. As a baseline, Stax configures the below for you:
- Enabled for all accounts and regions in the AWS Organization
- Security account designated as the delegated administrator
- All findings in the AWS Organization centralized in the Security Account in your Stax Installation Region
- All findings exported to an S3 bucket in the Logging Account
In addition to this, Amazon GuardDuty also offers protection plans, which analyse non-foundational data sources for potential security threats. Stax allows you to configure these plans, such as EKS Protection and Lambda Protection, as well as set the findings export frequency for all GuardDuty findings.
AWS Config
AWS Config monitors and records all changes that are made to AWS resources. All Config logs are stored in your logging account.
The below AWS Config settings are configured:
- AWS Config is enabled in all regions
- Recording of all resources enabled in all regions. Recording of global IAM resources, such as AWS IAM Policy, Users, Roles, and Group, configured only in your Stax Installation Region.
- Configuration Snapshots are sent to your Logging account
- Configuration Snapshot storage is not publicly accessible
- Configuration Snapshots are encrypted at rest
AWS CloudTrail
AWS CloudTrail is a service that logs all API activity within your organization. It provides an audit trail for all user activity within the AWS Console, AWS SDKs, and AWS CLI. All CloudTrail logs are stored in your logging account.
As part of Stax Assurance, the below CloudTrail settings are configured:
- A CloudTrail Organization trail is created in the management account
- Organization trails are automatically applied to all regions of all member accounts in the organization
- Organization trails log events to a central CloudWatch Log Group in the management account for events that occur in the management account and all member accounts in the organization (12-month retention)
- CloudTrail logs are persisted to an S3 bucket in the Logging account (10-year retention)
- CloudTrail log validation is enabled
- CloudTrail log storage is not publicly accessible
- CloudTrail logs are encrypted at rest
AWS IAM Access Analyzer
AWS IAM Access Analyzer scans the policies of your AWS resources and identifies if they are being shared with an external identity. Types of external identities include another AWS account, a root user, an IAM user or an AWS service.
The AWS IAM Access Analyzer service is enabled at the AWS Organization level. This means that it is configured within every region of every account in your AWS Organization. As part of this configuration, all IAM Access Analyzer findings are made available within Events in your security account.
In addition, an AWS service-linked role is created within each account so that AWS IAM Analyzer can analyze your resources. The role is named AWSServiceRoleForAccessAnalyzer.
AWS Security Hub
AWS Security Hub provides a single pane of glass for security professionals and engineers that aggregates, organizes, and prioritizes your findings from multiple AWS services and AWS Partner solutions, enabling you to quickly assess the security posture across your AWS accounts.
As part of Stax’s well-architected foundation, Stax allows you to implement and manage central configuration in AWS Security Hub with the following configuration to ensure any new or existing accounts are consistently being assessed for security threats:
- Security account assigned as the delegated administrator.
- Stax Installation Region designated as the home Region for finding aggregation. The home Region is also the Region from which the delegated administrator configures the setup and management of control and policy configurations.
- Organization findings centralized in the Security foundation account in the home Region.
- Security Hub enabled in the home Region and at least one linked Region of your choice.
- Enabled for all accounts in the AWS Organization within the home and selected linked Regions.
- Stax will not apply Security Hub to any accounts in the Stax Account Pool Organizational Unit (OU).
AWS Security Hub also offers prepackaged security standards, such as, the CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices, and the Payment Card Industry Data Security Standard (PCI DSS). These help evaluate the security posture of your AWS accounts and resources.
Stax gives you the option to configure these standards for all accounts within the home and enabled linked Regions.
AWS Firewall Manager
AWS Firewall Manager allows you to manage and maintain organization-wide protection of AWS resources by centralising the management of AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. Stax sets the security account as the Firewall Manager administrator account. This allows Firewall Manager to access information about all accounts in your organization so that you can specify the scope of your Firewall Manager policies.
In addition, Stax has configured a DDoS notification SNS topic (stax-fms-notification-channel-<management_account_stax_uuid>) in each supported region in the Security foundation account. These topics will allow you to subscribe to receive notifications of possible DDoS attacks. For organizations where the AWS Firewall Manager administrator account is delegated to an account other than the Security account, this configuration will not be applied to your own delegate.
AWS Compute Optimizer
AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of certain AWS resources. Refer to the documentation for a list of supported AWS resources. Compute Optimizer reports whether resources are optimally provisioned, and generates optimization recommendations to reduce cost and improve the performance of compute resources.
Stax enables Compute Optimizer within the management account and opts-in all accounts within the organization. As a result, Compute Optimizer analyzes resources that are in all accounts in the organization, and generates optimization recommendations for those resources. Stax also exports Compute Optimizer recommendations to an S3 bucket (stax-compute-optimizer-<stax_organization_id>) in your Logging account. The recommendations are exported weekly on Monday (UTC+10).
AWS Backup
AWS Backup is enabled at the Organization level with cross-account backups enabled. This permits accounts that are members of the AWS Organization to utilize the AWS Backup service.
Other Utilized Services
In order for Stax to minimize security risks and provide traceability, Stax also configures and leverages the following AWS services:
- Amazon CloudWatch
- AWS Identity & Access Management (IAM)
- AWS Systems Manager
- Service Control Policies
Amazon CloudWatch
Amazon CloudWatch captures the metric data of resources and enables configuration of alarms against these metrics.
As part of Stax Assurance, the below metric data is captured and monitored:
- Unauthorized API calls
- AWS Management Console authentication failures
- AWS Management Console sign-in without MFA
- IAM policy changes
- CloudTrail configuration changes
- Usage of 'root' account
- Disabling or deleting customer created CMKs
- S3 bucket policy changes
- Security Group changes
- Network Access Control List changes
- Network Gateway changes
- Route Table changes
- VPC changes
- AWS Organizations changes
AWS Identity & Access Management (IAM)
AWS Identity & Access Management (IAM) secures user and machine access to AWS resources. It provides fine-grained access control to resources using users, roles, and policies.
Stax defines the account password policy for IAM users as follows:
- Password minimum length: 14
- Password strength:
- Require at least one uppercase letter from Latin alphabet (A-Z)
- Require at least one lowercase letter from Latin alphabet (a-z)
- Require at least one number
- Require at least one non-alphanumeric letter (
! @ # $ % ^ & * ( ) _ + - = [ ] { } | ')
- Enable password expiration: Enabled, 90 days
- Allow users to change their own password: Enabled
- Prevent password reuse: Enabled, 24 passwords can't be repeated
For the password policy that applies to Stax user accounts, see Password Policy.
AWS Systems Manager
AWS Systems Manager is an AWS service that you can use to view and control your infrastructure on AWS. Session Manager is a feature of AWS Systems Manager which allows you to manage instances through a browser-based shell or via the AWS CLI.
Stax enables auditing and logging of session activity within Session Manager as part of Stax Assurance. All logs are sent to an S3 bucket in your logging account.
Service Control Policies
Service Control Policies (SCPs) govern which services users can access and the actions they can perform. SCPs function at the AWS Organization entity level (root, organizational unit, or account).
Within Stax, SCPs are applied to your Organization and accounts using Policies. Stax Policies protect Stax-provisioned resources and configurations that provide critical security services and controls. All SCPs applied by Stax are visible in the Stax Console under the Policies sub-menu in the left-hand navigation pane.
You can create and apply your own Policies in addition to the mandatory controls Stax applies by default. Some examples of mandatory Policies set up by Stax include:
- Disallow modification of AWS Config
- Disallow modification of AWS GuardDuty
- Disallow modification of Stax-managed AWS CloudTrail logs
- Disallow modifications of Stax CloudFormation Stacks
- Prevent removal of Stax CloudWatch alarms
- Disallow modifications of Stax Lambdas
- Prevent removal of Stax Identity Management Service resources
- Disallow policy changes of Stax SSM Session Manager configuration preferences
- Restrict the use of root credentials
To view the controls applied to your AWS Organization by Stax mandatory Policies, visit Policies in the Stax console.
Automation��
Stax deploys, manages, and updates resources in your accounts via automated pipelines. This ensures that your security, audit, logging, and access controls are always up to date. Underpinning this automation is AWS Cloudformation. AWS CloudFormation stacks are deployed into all of your accounts, allowing Stax to leverage the principles of Infrastructure-as-code. These stacks deploy a number of serverless AWS services into your accounts, including AWS Lambda, Amazon SNS, and Amazon Route 53. These services help ensure that your Stax experience is seamless and consistent.
Audit Data
As part of Stax Assurance, the following audit data is captured:
- CloudTrail logs are sent to an S3 bucket in your logging account
- AWS Config Configuration Snapshots are sent to an S3 bucket in your logging account
- VPC Flow Logs for Stax-managed VPCs are sent to an S3 bucket in your logging account
- AWS SSM Session Manager session activity logs are sent to an S3 bucket in your logging account