Skip to main content

About Accounts

The Stax Accounts feature allows you to securely and easily create, view and centrally manage your AWS Accounts and get started deploying applications, workloads and resources. You can create and manage accounts within the Stax console or via the Stax API to gather detailed information about your accounts, onboard any existing accounts living outside of Stax, and apply AWS service control policies. You have SSO access to the AWS Console/CLI for these accounts through Stax if you wish to natively utilize the AWS services.

About Stax-Managed AWS Accounts

All AWS Accounts created via Stax are hardened with security configurations that help you to achieve compliance with the CIS AWS Foundations Benchmark. This hardening is applied via the Stax Assurance process.

Stax tenancies are provisioned with three AWS accounts that form the Foundation Accounts: Management, Security, and Logging. These accounts are required to operate the AWS Organization itself and contain much of the infrastructure provisioned by Stax for the purposes of managing the Organization.

These accounts are allocated to individual Account Types to enable more granular AWS account access permissions. In addition, the Security and Logging accounts are allocated to the Stax-managed SecurityOU for the purposes of applying controls and protections to the accounts.

Account Compliance Score

Within the Stax Console, customers can view each account's compliance score. Representing the risk and compliance posture of each account, the score is evaluated against the Stax Foundation Compliance Rule Bundle which is based on the CIS AWS Foundations Benchmark, the AWS Well-Architected Framework and Stax security and best practice guidelines.

External Accounts

An External Account is any AWS Account that has been discovered by Stax as part of onboarding an AWS Organization with existing application accounts. These accounts have not been created within Stax using the Create Account feature but can be optionally onboarded and managed alongside your other accounts in Stax. External Accounts can be identified by their origin.

Account Origin

An account can have an origin of Stax or External.

  • Accounts with an origin of Stax were created within Stax.

  • Accounts with an origin of External were not created in Stax but have been discovered or onboarded into Stax. Regardless of their status, External Accounts can always be identified by their origin value.

Account Statuses

The status of an account in Stax represents its lifecycle or stage. Valid account statuses include:

StatusDescription
INITIALIZINGAn account has been created within Stax and Stax Assurance is in progress
DISCOVEREDAn external account that has been linked to your Stax-managed AWS Organization and is visible in the Stax console. Discovered accounts have the following attributes:
  • The account has an IAM role called Stax-Provisioning which allows Stax to access the account
  • The account is read to be onboarded into Stax
  • The account has not had the Stax Assurance process completed on it
  • The account's compliance score is available
ERRORIssues occurred during discovery or onboarding of this external account
ONBOARDINGThis external account is proceeding through the Stax Assurance process
ACTIVEStax Assurance has completed and the account is now ready for use
SUSPENDEDThis account has been suspended, users can no longer log in to this account
MAINTENANCEThis account is undergoing maintenance and is unavailable
CLOSEDThis account has been closed in AWS and is no longer accessible