About the Compliance module
Stax makes adherence to industry standards and internal compliance easy by providing Rule Bundles to reduce the burden of finding and creating your own sets of Rules. Rule Bundles are predefined collections of Rules that help your organization compare itself to industry frameworks and best practices, such as the CIS benchmark and best practices for using Amazon S3. We also have an extensive catalog of customizable Rules where you can select the segment to which the Rule is applied as well as any other parameters you'd like to customize, for example, the number of characters required in IAM passwords.
Stax regularly checks compliance throughout the day. When a new failure is detected, an alert can be sent using Notifications. Where a default segment has been selected by a user, they will only be alerted for resource failures where the resource belongs to that segment, thus reducing unnecessary noise and preventing alert fatigue.
Stax does not automatically remediate Rule failures. It is theoretically possible to remediate failures using Notifications to a bespoke downstream system. That system would, in turn, parse the notification payload and takes action based on it. Stax does not provide this functionality natively.
Before You Begin
- Estimated time to complete: 5 minutes
- After Rule creation, initial resource evaluation may take several hours
- You must be at least a member of the Read Only or User role in your Stax tenancy. If creating, deleting, or modifying Rules, you must be a member of the Admin or Cost & Compliance Admin roles in your Stax tenancy
Access Rules
- Log in to Stax
- Choose Compliance, from the left-hand nav
- The most recent assessment's results will be shown
Explore Results
The Rule page shows a summary of the compliance results including overall compliance and compliance based on rule severity.
The compliance summary can be viewed in two ways:
- Compliance based on the number of passing and failing rules; or
- Compliance based on the number of passing and failing resources.
Choose the vertical ellipsis (⋮) under the summary results to change how the compliance score is calculated:
Below the compliance summary, a list of every enabled rule's compliance is shown. Choose the Show disabled option within the vertical ellipsis (⋮) to include disabled rules in the summary provided.
Filter Results
There are several ways in which to filter your compliance results.
The Rule Bundle filter allows further refining of results to view only Rules within a given Rule Bundle.
The Global Filter allows refining the Rules page to display only results for a single segment of a View. To view all results, choose All Views from the Views list.
Choose a severity from the top panel to refine the results to show only Rules of that severity.
Once filtered to the desired results, click a Rule to view its results.
Explore a Rule's Results
Clicking on a Rule will load the Rule Detail page, showing the results of the specific rule in more detail.
Copy a resource's ARN to allow further investigation in the AWS Console.
To review additional details about the Rule and how it is evaluated, click on Documentation.
To improve your compliance posture, click Remediation for guidance on addressing failing resources through the AWS Console.
Trigger a Rule Evaluation
Rules are regularly evaluated to ensure compliance data is up-to-date, but to request a faster evaluation of a specific rule, choose Re-Evaluate Rule from the Rule's vertical ellipsis (⋮) menu.
Ignore Resources
If resources cannot be made compliant, or should be excluded, select the resources to be ignored, then click the Ignore button. Provide a valid reason, then click Ignore Resource.*
Downloading Reports
When downloading reports from the Rules page, any Global or Rule Bundle filtering applied will be reflected in the report. To include all resources, be sure to remove filters before downloading a report.
To download an overall compliance report, click the Downloads button at the top of the Rules page, then choose Summary Report. The report will be generated and dispatched by email.
To download a single Rule's report, navigate to the Rule's results page, then click Download. The report will be generated and dispatched by email.
Rule Bundles
Rule Bundles help you better organize your Rules in Stax, and make it easy to ensure compliance to external standards or internal frameworks, by simply adding bundles of Rules to your Rules list at a time.
There are two types of Bundles in Stax:
- Pre-Configured Rule Bundles are either aligned to best practice for a particular AWS service or to an external framework such as the CIS Benchmark
- Organization Rules Bundle is composed of Rules that members of your team have created specifically for your team to monitor. Whenever someone in your organization adds a new Rule, it'll automatically be added to the Organization Rules Bundle
Pre-Configured Rule Bundles
Stax provides and maintains the following Rule Bundles. You can enable any combination of these in Stax.
- ACSC Essential Eight: Checks your compliance against controls within the Australian Cyber Security Centre (ACSC)'s Essential Eight mitigation strategies developed to help protect against cyber security threats
- APRA: Comply with the Australian Prudential Regulation Authority Standards
- CIS Benchmark: A non-profit organization that has developed a global benchmark to help organizations improve their security and compliance postures
- CloudTrail Best Practice: Ensure your use of CloudTrail is secure and aligned with best practice
- EC2 Best Practice: Ensure your use of EC2 is secure and aligned with best practice
- IAM Best Practice: Ensure IAM is secure and aligned with best practice
- Partner Hosted Foundational Technical Review (Public Preview): Helps organizations evaluate their AWS architecture against the AWS Partner Hosted Foundational Technical Review.
- PCI DSS: Checks your compliance against a subset of the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 requirements
- Public Exposure: Monitor your organization's posture against common avenues for public exposure in AWS
- RDS Best Practice: Ensure your use of RDS is secure and aligned with best practice
- S3 Best Practice: Ensure your use of S3 is secure and aligned with best practice
- SNS Best Practice: Ensure your use of SNS is secure and aligned with best practice
- SQS Best Practice: Ensure your use of SQS is secure and aligned with best practice
- Stax Foundation Compliance: Ensure your organization aligns with industry best practices and minimize security risks and vulnerabilities
- NIST Cybersecurity Framework (Public Preview): Checks your compliance against the National Institute of Standards and Technology (NIST) Cybersecurity Framework
- NIST Privacy Framework Bundle (Private Preview): Checks your compliance against the National Institute of Standards and Technology (NIST) Privacy Framework
Some Rule Bundles may have overlapping rules. This is indicated in the Bundles column next to a Rule on the Rules page. Click on the briefcase icon to see which bundle a Rule is a member of.
To get started using Rule Bundles, check out Manage Rule Bundles.
Limitations when using Views in Rules
When using Views on the Rules page, some AWS resources may not be displayed. This is because Stax's Views system utilizes the AWS CUR to determine which resources are active. If a resource does not incur any usage cost in the current month's CUR, it will not be displayed by Stax.
To see all resources: with All Views selected, choose a Rule from the Rules list to open the Rule Details page. Use the Add Filter button to create an appropriate filter to locate the resource. The Rule Details page shows all resources, not just those that appear in the CUR.