Foundation Accounts

There are three Foundation AWS Accounts in all Stax-managed AWS Organizations: Management, Security, and Logging. Each provides important functionality for the environment.

Management Account

The management account resides at the "top" of your AWS Organization, within the root. Some organization-based AWS functionality can only be enabled and configured in the management account. Consider AWS's published best practices for this account before making any changes to it.

For reseller-owned management accounts, the account resides in the built-in foundation-management-resell Account Type. For customer-owned management accounts, the account can be found in the foundation-management Account Type. The account cannot be moved from its Account Type, and other accounts cannot be added to these Account Types.

Depending on the account ownership model in use, you will either have full access (in the case of a customer-owned management account), or limited access (in the case of a reseller-owned management account) to this account. For reseller-owned management accounts, the following services are available when logging in to this account:

• AWS Backup

• AWS Trusted Advisor (see Enable Organizational View for Trusted Advisor)

• AWS Cost Management - Savings Plans

• AWS Cost Management - Reserved Instances

• AWS Personal Health Dashboard

• AWS Compute Optimizer

• Amazon CloudWatch Logs - CloudTrail Log Group

• Customer Carbon Footprint Tool

Security Account

The security account is used to manage security-related controls and services. As part of Stax Assurance, Stax hardens all the accounts you create with security controls. Amazon GuardDuty is one of these controls, and the security account functions as your Amazon GuardDuty master.

The security account also hosts the Stax Identity Service. This service is responsible for managing all access to the Stax console and API, as well as single sign-on (SSO) into your Stax accounts.

The main purpose of the security account is to keep security controls centralized. It is recommended that you utilize this account for similar purposes with any of your security-related workloads. All security-related controls should reside in the central security account.

The security account resides in the built-in SecurityOU and the foundation-security Account Type.

Logging Account

The logging account holds log records for Stax and AWS activity that occurs in your Stax environment and Stax-managed AWS Accounts. As part of Stax Assurance, Stax enables service logging in Stax-managed AWS accounts. The logs generated by these services are sent to individual S3 buckets in the logging account. Furthermore, if VPC flow logs are enabled for VPCs created by Stax Networks, these logs will also be sent to the logging account.

The purpose of the logging account is to store logging records of activity occurring in Stax-managed AWS accounts, and to retain audit information pertaining to the Stax Identity Service.

Stax recommends you also utilize this account for similar purposes for any of your workloads, so that the central logging account becomes the source of truth for all audit and log information. Security and audit teams can then be assigned appropriate access to this account to review activity.

The logging account resides in the built-in SecurityOU and the foundation-logging Account Type.