Skip to main content

Migrate a Stax-managed AWS account to another AWS Organization

Moving an AWS account between AWS Organizations is a well-defined process. AWS provides guidance on this. When the account is being moved from a Stax-managed AWS Organization to another AWS Organization, there are additional considerations.

For guidance in moving an AWS account to a Stax-managed AWS Organization, see Onboard an AWS Account to Stax.

danger

You must follow all directions in this procedure to ensure your AWS accounts are correctly offboarded from Stax management. If all steps are not completed, Stax may continue to manage resources in accounts even after they have left the AWS organization.

Before you begin

  • Ensure you are a member of the Admin role in your Stax tenancy
  • Familiarize yourself with your organization's account ownership model. This is important when validating which steps should be performed as part of this procedure

Customer-Owned Management Account

If your management account is customer-owned, you can migrate the account by following the AWS guidance with one additional step. You must first raise a support case disclosing your intention to migrate the AWS account out of the Stax-managed AWS organization.

Once the case is raised, access the AWS organization's management account and remove the AWS account from the Stax-managed organizational unit (OU). Once removed from the OU, Stax's protections will no longer be applied to the account.

After this task is completed, you may perform the AWS-prescribed tasks to migrate the account to the new AWS Organization. You may need to change the account's email address in this process.

Reseller-Owned Management Account

If your management account is reseller-owned, you must work with the reseller to migrate the account. If Stax is not your reseller, you must also raise a support case disclosing your intention to migrate the AWS account out of the Stax-managed AWS Organization.

The Stax support team will work with you and your reseller to remove the account from the Stax-managed AWS organization.

Final Tasks

Once the account is removed from the AWS Organization, you should:

  • Advise Stax Support via the existing support case that you have removed the AWS account from the organization. Stax will no longer attempt to monitor or manage the AWS account once this advice has been received and processed

  • Modify the OrganizationAccountAccessRoleIAM Role, replacing the old organization management account ID with the new organization's management account ID

  • Remove remaining resources that grant Stax permissions to monitor and manage the account. The below listed CloudFormation stacks contain IAM roles that should be removed. Consider your Stax Installation Region's AWS region when determining the region that stacks exist in.

    Resource NameResource TypeRegion
    stax-ProvisioningCloudFormation StackStax Installation Region
    stax-spotlight-service-roleCloudFormation StackStax Installation Region
    stax-idpCloudFormation StackStax Installation Region
    stax-admin-idpCloudFormation StackStax Installation Region
    stax-stackset-member-roleCloudFormation StackStax Installation Region
    stax-aws-support-eventsCloudFormation Stackus-east-1