Rules in Stax
Whether you're interested in tracking your compliance with industry standards or looking to track compliance with your internal standards, Stax has rule bundles and custom rules to match all your needs.
Stax makes adherence to industry standards and internal compliance easy by providing rule bundles, like CIS and S3 best practices, to reduce the burden of finding and creating your own sets of rules. We also have an extensive catalog of customizable rules where you can select the segment to which the rule is applied as well as any other parameters you'd like to customize, for example the number of characters required in your IAM passwords.
Stax regularly checks your compliance throughout the day. When a new failure is detected, an alert can be sent either to an email address, Slack or via a webhook to another destination. These alerts are configurable by visiting your Settings. Where a default segment has been selected by a user, they will only be alerted for resource failures where the resource belongs to that segment, thus reducing unnecessary 'noise'. Notifications are covered in another article.
Before you begin
Creating a rule or adding a rule bundle will take under 5 minutes, but the collation of the results for that rule or rule bundle can take several hours the first time the query runs.
In order to view rule statuses and download reports, you do not need to be an admin
In order to create or delete rules or ignore items from rules, you need to be an admin. Adding rules and rule bundles is covered in a separate article.
- Log in to Stax
- Select Rules from the left-hand nav
Filtering Your Results
Use the Global Filter to see the compliance for a single segment of one of your Views
Use the Bundle Filter to see the compliance for a single bundle
Click the Severity to see just rules with that severity level
Once you've filtered the rule results to match your requirements, each of the rules, when clicked, will show the results for the rule.
- You'll first see the results of the most recent assessment. You should then click to see the failing items.
- You can easily copy the ARN so you can go check on it within your AWS console
- To see what the rule is actually checking for and how we check it, click Documentation.
- If you believe you've made the required change to make the resources compliant, you can click to re-evaluate
- If you've concluded that this item cannot be made compliant, ideally for valid business reasons, you can ignore the item
- If you ignore the item, you will be asked to provide a reason. This 'ignored' list is auditable.
When downloading reports, if you've applied either the bundle filter or the global filter, the matching report will be sent. If you want a 'full' report, you should remove all filters before downloading
- Get the full report by clicking the 'download' icon at the top of the page.
- Get the results for an individual rule by clicking the download button within the results page for that individual rule