🗃️ Onboarding and Offboarding
7 items
📄️ About Accounts
The Stax Accounts feature allows you to securely and easily create, view and centrally manage your AWS Accounts and get started deploying applications, workloads and resources. You can create and manage accounts within the Stax console or via the Stax API to gather detailed information about your accounts, onboard any existing accounts living outside of Stax, and apply AWS service control policies. You have SSO access to the AWS Console/CLI for these accounts through Stax if you wish to natively utilize the AWS services.
📄️ Access AWS Account Root User Credentials
When taking actions in your Stax-managed AWS accounts with root user credentials, you may find that the AWS Console or API does not return information or permit you to perform certain tasks. This is due to a policy Stax implements to prevent the root user credentials from taking any actions in Stax-managed AWS accounts, thereby improving the security of the accounts.
📄️ Access Stax-managed AWS Accounts if Stax is Unavailable
Stax manages your access to AWS accounts. If Stax is unavailable, we suggest that you follow the below advice to gain access to Stax-managed AWS accounts. Monitor Stax's Status Page for updates on its status.
📄️ AWS AI services opt-out policies
AWS customers can opt out of having their content stored or used for AWS AI service improvements using an opt-out policy. Read more about this at AI services opt-out policies.
📄️ AWS Config Shows the "Set up AWS Config" Wizard
When you use Stax, many AWS services within AWS accounts are configured on your behalf. One of these is AWS Config, which is set up when your accounts are created.
📄️ Check the provisioning status of an AWS account
To check the provisioning status of an AWS account created in Stax, review the Accounts page:
📄️ Close a Stax-Managed AWS Account
When an AWS account reaches the end of its lifespan in your organization, you may wish to remove it from service.
📄️ Configure Amazon GuardDuty within Stax
Stax Assurance configures Amazon GuardDuty on your behalf across your entire AWS Organization. By default, Stax takes three actions:
📄️ Consume AWS Service Logs in the Logging Account
Stax provisions S3 buckets for storing AWS service logs as part of the Stax Assurance process. For each of these services a bucket is created in the logging account. Each S3 bucket has a corresponding SNS topic which allows for receiving notifications when files are created. Subscribe to SNS topics to integrate these logs with other systems.
📄️ Consuming StaxTrail
StaxTrail is Stax's centralized logging component. Logging and audit information from Stax is recorded in the staxtrail bucket in your logging account. You can, alternatively, subscribe to the staxtrail SNS topic in the logging account.
📄️ Create an AWS Account
Creating an AWS account through Stax gives you a head-start to deploying your applications, workloads and resources, along with peace of mind in knowing the account will be created securely and follow AWS's recommended approach. Stax applies security hardening configurations that help you to achieve compliance with the CIS AWS Foundations Benchmark. This hardening is applied using the Stax Assurance process every time you create an account.
📄️ Edit a Stax-Managed AWS Account
You can edit the details of your Stax-managed AWS accounts at any time. You can update the account's Name, Type, and any Tags assigned to it.
📄️ Enable Organizational View for Trusted Advisor
Trusted Advisor can be accessed in individual AWS accounts or, via the Management account, for the entire AWS Organization.
📄️ Foundation Accounts
There are three Foundation AWS Accounts in all Stax-managed AWS Organizations: Management, Security, and Logging. Each provides important functionality for the environment.
📄️ How to Apply AWS Support Plans to your AWS Accounts
AWS offers several tiers of AWS Support Plan. Any of these can be used in conjunction with Stax, however certain considerations apply.
📄️ Increasing Service Quotas
Amazon Web Services Service Quotas (formerly known as limits) are imposed by AWS to help guarantee availability and quality of resources and services, as well as to prevent against bill shock. From time to time, requirements arise to modify the quotas in place for an AWS account.
📄️ Manage Account Types
Use Account Types to group your accounts and manage AWS access permissions. Account Types can be allocated to User Groups and AWS roles can be applied to these mappings. These settings can be managed from the Manage Account Types page.
📄️ New AWS account stuck in "INITIALIZING" status
When accounts are created in Stax, the Stax Assurance process takes some time to implement its controls and functionality in your new account before it becomes available for use. Generally this completes in under 30 minutes, but sometimes can take longer. If an account is in the INITIALIZING state for more than 30 minutes, consider the following actions:
📄️ Service Control Policies for Global Protection
Stax implements Service Control Policies (SCPs) to protect critical Stax resources within AWS accounts. Working within the boundaries of these SCPs requires some basic consideration.
📄️ Stax Assurance
The Stax Assurance process applies hardening to minimize security risks and vulnerabilities within your AWS accounts.
📄️ Stax-managed AWS Account Email Address Format
Stax requires an email address template to be specified as part of onboarding new and existing AWS organizations.
📄️ "This account has access restrictions" when modifying an AWS account
You may see the message This account has access restrictions when modifying an AWS account in the Stax console.
📄️ Unable to Validate Encryption on Amazon S3 Bucket
When attempting to start a Systems Manager session to an EC2 instance within an AWS account managed by Stax, you may receive an error message similar to the below:
📄️ Understanding Stax GuardDuty Findings
Reviewing Amazon GuardDuty findings (centralized in your foundation security account) on a regular basis is a key step to safely operating in the cloud. It is important to have an understanding of what is occurring in your AWS environment, and who is taking those actions. This is a key principle of the Shared Responsibility Model.
📄️ Understanding the Stax Account Pool
You may notice AWS accounts in your Stax-managed AWS Organization that do not have names or resources provisioned into them. These AWS accounts, typically, are part of the Stax-managed accounts pool.
📄️ Understanding the StaxManagement Role
From time to time, Stax automation will make updates to Stax-managed AWS accounts. Updates are most commonly applied by the Stax Assurance process. The updates may include improved security controls, additional features, or just routine maintenance. Stax leverages IAM roles to apply these updates and manages these roles in accordance with the principle of least privilege. There are different roles used from time to time for specific tasks. A list of these is available by reviewing Stax Management Roles below.
📄️ Update AWS Account Contact Details
You can update your Stax-managed AWS accounts' alternate contact details via the Stax Console, API, and SDK. You can update the primary account contact details for your Stax-managed AWS accounts from the AWS Organization's management account.
📄️ Using Organizational Units in Stax
Stax provides users with the ability to manage AWS Organizational Units (OUs) natively within the console or API/SDK. OUs are important building blocks that allow you to organize your accounts into a hierarchy and apply management controls against that heirarchy. Stax recommends that you utilise OUs as part of your Organizational structure and adhere to the best practices outlined by AWS. An important use case for OUs is the management of AWS account access permissions, which can be done via service control policies (SCPs).
📄️ Using Service Control Policies in Stax
Service control policies (SCPs) allow you to manage permissions within your Organization. Stax allows you to create and attach SCPs to your Organization, Organizational Units (OUs) and Accounts. In addition, Stax attaches several default SCPs to entities within your Organization in order to protect Stax resources and maintain the integrity of the platform. These SCPs cannot be removed.
📄️ Using Stax-managed AWS Regions
Stax-managed AWS Regions allows you to view and enable AWS opt-in Regions for all accounts within your Stax Organization. This provides flexibility and seamless enablement of opt-in regions, bringing them in line with security and best practices through the Stax Assurance process.
📄️ Using Stax-managed GuardDuty
Amazon GuardDuty is a threat detection service that monitors for malicious or unauthorized behavior within your AWS accounts. It also detects compromised AWS resources.
📄️ Using Stax-managed Security Hub
Stax-managed Security Hub allows you to implement and manage AWS Security Hub central configuration capabilities to ensure any new and existing accounts are consistently being assessed for security threats and best practices.
📄️ View AWS Accounts in the Stax Console
Stax provides a variety of features to help you view and manage your AWS accounts centrally in the Stax Console.