Stax makes adherence to industry standards and internal compliance easy by providing Rule Bundles to reduce the burden of finding and creating your own sets of Rules. Rule Bundles are predefined collections of Rules that help your organization to compare itself to industry frameworks and best practices, such as the CIS benchmark and best practices for using Amazon S3. We also have an extensive catalog of customizable Rules where you can select the segment to which the Rule is applied as well as any other parameters you'd like to customize, for example the number of characters required in IAM passwords.
Stax regularly checks compliance throughout the day. When a new failure is detected, an alert can be sent using Notifications. Where a default segment has been selected by a user, they will only be alerted for resource failures where the resource belongs to that segment, thus reducing unnecessary noise and preventing alert fatigue.
Stax does not automatically remediate Rule failures. It is theoretically possible to remediate failures using Notifications to a bespoke downstream system. That system would, in turn, parse the notification payload and takes action based on it. Stax does not provide this functionality natively.
Before You Begin
- Estimated time to complete: 5 minutes
- After Rule creation, initial resource evaluation may take several hours
- You must be at least a member of the Read Only or User role in your Stax tenancy. If creating, deleting, or modifying Rules, you must be a member of the Admin or Cost & Compliance Admin roles in your Stax tenancy
- Log in to Stax
- Choose Rules from the left-hand nav
The Global Filter allows refining the Rules page to display only results for a single segment of a View. To view all results, choose All Views from the Views list.
The Rule Bundle filter allows further refining of results to view only Rules within a given Rule Bundle.
Choose a severity from the top panel to refine the results to show only Rules of that severity.
The most recent assessment's results will be shown. Filtering can be applied to filter only to failing items.
Once filtered to the desired results, click a Rule to view its results.
Copy a resource's ARN to allow further investigation in the AWS Console.
To review additional details about the Rule and how it is evaluated, click on Documentation.
Trigger a Rule Evaluation
Rules are regularly evaluated to ensure compliance data is up-to-date, but to request a faster evaluation of a specific rule, choose Re-Evaluate Rule from the Rule's vertical ellipsis (⋮) menu.
If a resource cannot be made compliant, or should be excluded from checking, choose the vertical ellipsis (⋮) next to the resource then click Ignore resource from rule.
Provide a valid reason, then click Ignore Resource.
When downloading reports from the Rules page, any Global or Rule Bundle filtering applied will be reflected in the report. To include all resources, be sure to remove filters before downloading a report.
To download an overall compliance report, click the download icon at the top of the Rules page, then choose Summary Report. The report will be generated and dispatched by email.
To download a single Rule's report, navigate to the Rule's results page, then click Download. The report will be generated and dispatched by email.
Rule Bundles help you better organize your Rules in Stax, and makes it easy to ensure compliance to external standards or internal frameworks, by simply adding bundles of Rules to your Rules list at a time.
There are two types of Bundles in Stax:
Pre-Configured Rule Bundles are either aligned to best practice for a particular AWS service, or to an external framework such as the CIS Benchmark
Organization Rules Bundle is composed of Rules that members of your team have created specifically for your team to monitor. Whenever someone in your organization adds a new Rule, it'll automatically be added to the Organization Rules Bundle
Pre-Configured Rule Bundles
Stax provides and maintains the following Rule Bundles. You can enable any combination of these in Stax.
- APRA: A bundle of Rules to help you comply with the Australian Prudential Regulation Authority Standards
- CIS Benchmark: A non-profit organization that has developed a global benchmark to help organizations improve their security and compliance postures
- CloudTrail Best Practice: Ensure your use of CloudTrail is secure and aligned with best practice
- EC2 Best Practice: This Rule Bundle helps you ensure your use of EC2 is secure and aligned with best practice
- IAM Best Practice: A Bundle of Rules to make sure your use of IAM is secure and aligned with best practice
- Public Exposure: This Rule Bundle helps monitor your organization's posture against common avenues for public exposure in AWS
- RDS Best Practice: A Bundle of Rules to ensure your use of RDS is secure and aligned with best practice
- S3 Best Practice: This Rule Bundle helps you ensure your use of S3 is secure and aligned with best practice
- SNS Best Practice: This Rule Bundle helps you ensure your use of SNS is secure and aligned with best practice
- SQS Best Practice: A Bundle of rules to make sure your use of SQS is secure and aligned with best practice
- Stax Foundation Compliance: The Stax Foundation Compliance Rule Bundle helps your organization align to industry best practices and minimize security risks and vulnerabilities
Some Rule Bundles may have overlapping rules. This is indicated by multiple Rule Bundle names next to a Rule on the Rules page.
To get started using Rule Bundles, check out Manage Rule Bundles.
Limitations when using Views in Rules
When using Views on the Rules page, some AWS resources may not be displayed. This is because Stax's Views system utilizes the AWS CUR to determine which resources are active. If a resource does not incur any usage cost in the current month's CUR, it will not be displayed by Stax.
To see all resources: with All Views selected, choose a Rule from the Rules list to open the Rule Details page. Use the Add Filter button to create an appropriate filter to locate the resource. The Rule Details page shows all resources, not just those that appear in the CUR.