🗃️ Single Sign-On
7 items
📄️ About Identity and Access
Users can be granted different levels of access to both Stax itself, and to the AWS accounts managed by Stax. The Stax Identity Service governs access to Stax and to Stax-managed AWS accounts.
📄️ Account Types
Stax Account Types are account groupings, meaning Stax allows you to select a variety of Stax Account Types and place them in a group. The purpose of Account Types is to allow you to manage AWS Account Access Permissions for each Account Type.
📄️ Action Expired When Activating Stax User Account
If you or someone else are invited to Stax and do not activate your account within 12 hours of the invitation email being sent, the invitation will expire.
📄️ Adding and Managing Users in the Cost and Compliance Module
Invite your colleagues to Stax so they can gain value from the cost and compliance insights Stax provides.
📄️ Configuring Microsoft Entra ID for Single Sign-On for the Cost and Compliance Module
Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Entra ID (formerly Azure Active Directory) is Microsoft's cloud-hosted identity solution. It supports integration with applications as a SAML identity provider (IdP) and is available for use by most organizations with a Microsoft 365/Office 365 tenancy.
📄️ Create a Permission Set Assignment
Permission Set Assignments permit users to utilize the permissions afforded by a Permission Set within a Stax-managed AWS account. Before creating an assignment, ensure the Account Type, Group, and Permission Set to be assigned access to are created.
📄️ Create a Permission Set
Create a Permission Set and configure assignments to provide users with tailored access to Stax-managed AWS accounts.
📄️ Delete a Permission Set Assignment
Permission Set Assignments cannot be edited, only deleted and recreated. To delete an Assignment:
📄️ Delete a Permission Set
Permission Sets can be deleted when no longer required. Prior to deleting a Permission Set, first delete its Assignments.
📄️ Edit a Permission Set
Permission Sets can be edited to change their details if required. A common use case for this is when updating the IAM Policy Document that defines the level of access granted by this Permission Set.
📄️ Identity and Access in the Cost & Compliance Module
Users can be granted different levels of access to the Stax Cost & Compliance module.
📄️ Identity and access in the Cost & Compliance Module
Users can be granted different levels of access to the Stax Cost & Compliance module.
📄️ Log in to AWS Accounts Managed by Stax
From the Stax console, you can access your Stax-managed AWS accounts with any of the roles or Permission Sets assigned to you.
📄️ Log In to the Stax Console
When you're first granted access to Stax, you'll receive an invitation email which includes a login URL and an Organization Alias name to use to log in to your Stax tenancy. The URL can vary from organization to organization, so make sure you're using the URL provided to you.
📄️ Manage Groups
Access to AWS accounts managed by Stax is governed by Groups. Groups can be assigned access to either built-in Stax roles by assigning AWS roles to a group, or to a customized Permission Set. Adding or removing users from groups updates the Stax-managed AWS accounts they have access to.
📄️ Manage Users
The Users page allows you to edit users' details (Username, Email and Role), reset a user's password and deactivate/activate a user. Users can update their own details, and members of the Admin role can update the details of any user.
📄️ Monitor the Stax Identity Service
The Stax Identity Service manages and monitors access to Stax and, in most cases, Stax-managed AWS accounts. Monitor the service and its logs to keep up to date with activity in your Stax tenancy. The service has logging and protections in place to protect its own integrity and allow administrators to review its activity.
📄️ Multi-Factor Authentication for Root User Credentials
AWS provides the ability to enable multi-factor authentication (MFA) for AWS root user credentials. Stax works with AWS root credentials that have MFA enabled for both reseller-owned and customer-owned accounts. See Account Ownership Models for more information around account ownership within Stax.
📄️ Multi-Factor Authentication
Multi-factor authentication (MFA) allows securing of users' credentials within Stax that are not associated with a Single Sign-On (SSO) provider. Enabling MFA provides additional security by requiring that a second proof of identity be provided before a user is granted access to the Stax Console.
📄️ Password Policy for Stax Users
If your organization is not configured to use Single Sign-On, your password for Stax must adhere to the following rules:
📄️ Permission Sets
AWS best practices dictate that the principle of least privilege should be followed for permission assignment. What this means, in practice, is that users of AWS accounts should be granted privileges that allow them to perform only the required tasks.
📄️ Permissions in Stax
The below table provides a a list of permissions for each role in Stax.
📄️ Retry a Permission Set Assignment Deployment
In some circumstances you may need to retry deploying a Permission Set Assignment. This is useful if a deployment fails and you wish to retry it.
📄️ Translating a Stax User ID to Email Address
Stax utilizes UUIDs as identifiers for many resources, including users. When reviewing logs or other machine-generated information, UUIDs need to be resolved to review an individual user's details. This can be done using the Stax console, API, or SDK.
📄️ Update available for the idam Workload
In Workloads, the IDAM Workload (idam) represents the Stax Identity Service. It is deployed, updated, and maintained by Stax on your behalf. From time to time this Workload may show update available. This update will be deployed by Stax at an appropriate time and will be announced on the change log.
📄️ Use Systems Manager Session Manager with Stax Networks VPCs
When you create VPCs with Stax Networks there are a few tasks you'll need to complete before you're able to use AWS Systems Manager Session Manager with instances inside these VPCs. You must configure the proper IAM Instance Profile, create S3 endpoints in your VPCs, and configure the appropriate Security Group for your instances.
📄️ Use Systems Manager Session Manager
AWS Systems Manager Session Manager allows you to manage your EC2 instances and on-premises servers using a browser-based shell or the AWS CLI. To use Systems Manager Session Manager for EC2 instances with Stax, you need to configure an IAM Instance Profile. The profile grants the instance access to write to the Systems Manager Session Manager logging S3 bucket.
📄️ User Authentication Workflow
When users authenticate to Stax via the Console or stax2aws, a similar flow occurs regardless of whether Single Sign-On is configured or not.