Skip to main content

Offboarding your AWS Organization from Stax

Should your organization decide to remove Stax from its AWS environment, there are a series of steps that must be completed in order to successfully do this. These steps should be completed in consultation with the Customer Support team or your Customer Success Manager. Before you begin the offboarding process, be aware that:

  • Resources will be removed from Foundation accounts: Stax resources will be removed from Foundation accounts. Some Stax security protections will be retained to minimise disruption and promote good account security. Once the Stax offboarding is complete, you are free to alter or remove these resources.

  • Resources will not be removed from member accounts: Stax-created resources in member accounts will be retained as part of this process. Once the Stax offboarding is complete, you are free to alter or remove these resources.

  • Access to the Stax Console will be removed: Once the offboarding process is complete, you will no longer be able to access the Stax console or API. In addition, the Stax Identity Service will be deprovisioned, so access to AWS accounts via Stax or stax2aws will no longer be available. Access AWS accounts directly using either root user credentials or an IAM User.

To begin the offboarding process, raise a support case within the Stax console. For organizations using the resold Account Ownership Model, be aware that the management account must be transferred into your organization's name before offboarding can begin. There are three main steps in this transfer process.

  • Assess if an AWS Consent to Assignment (CTA) is required

  • If required only, complete the AWS CTA Letter (this may take several weeks)

  • The account and billing details within the management account will be updated by Stax

Resources removed during offboarding

The below table provides an overview of Stax resources that will be removed during offboarding. All resources are CloudFormation stacks deployed in the Stax Installation Region, unless otherwise specified.

Management AccountSecurity AccountLogging AccountMember Accounts
Identity & Access
stax-spotlight-service-role

stax-stackset-member-role

stax-stackset-administrator-role

stax-api-token-management

stax-idp

stax-admin-idp

stax-spotlight-etl-<region>-master

stax-spotlight-billing-role
stax-api-token-management

stax-spotlight-service-role

stax-stackset-member-role

stax-stackset-administrator-role

stax-api-token-management

stax-idp

stax-admin-idp

stax-idam-admin-password-rotation

idam-IdamWebAclAssociation-*

idam-IdamStack-*

idam-IdamWaf-*

idam-IdamVpc-*

staxid (Type: IAM IdP)

stax-admin (Type: IAM IdP)
stax-spotlight-realtime-rule-alert-role

stax-spotlight-service-role

stax-stackset-member-role

stax-stackset-administrator-role

stax-api-token-management

stax-idp

staxid (Type: IAM IdP)

stax-admin (Type: IAM IdP)
None
Billing
stax-etl-billing-management-<region>-master

stax-billing-ebc-management-<region>-master

stax-etl-deployment-<region>-master- (Type: S3 Bucket)

stax-spotlight-transformed-cur-*- (Type: S3 Bucket)

/aws/lambda/stax-spotlight-etl-stax* (CloudWatch Log Group)
NoneNoneNone
Stax Events
stax-cloudtrail-activity-forwarder

stax-aws-support-events (Region: us-east-1)

stax-aws-support-events (Region: us-east-1)
stax-event-api-destination-rules

stax-aws-support-events (Region: us-east-1)

<stax_organization_id>-api-key (Type: Secrets Manager)
stax-cloudtrail-spotlight-forwarder

stax-cloudtrail-activity-forwarder-master

stax-aws-support-events (Region: us-east-1)
None
Stax Assurance
stax-protection-foundation (Type: SCP)

stax-protection-partner (Type: SCP)

stax-protection-standard (Type: SCP)

stax-protection-unsupported-region (Type: SCP)

stax-protection-unsupported-resell (Type: SCP)

stax-OrgAdminOnly (Type: SCP)
NoneNoneNone

Resources retained during offboarding

The below table provides an overview of Stax resources that will not be removed during offboarding. All resources are CloudFormation stacks deployed in the Stax Installation Region, unless otherwise specified.

Management AccountSecurity AccountLogging AccountMember Accounts
Stax Assurance
stax-compute-optimizer

stax-assurance-cloudtrail

stax-assurance-config

stax-assurance-cis-benchmark

stax-vpc-flowlog-cwl

stax-event-internal-rules

Organization Trail (Type: CloudTrail trail)

stax-protection-account-pool (Type SCP)





stax-fms-notification-channel

stax-config-organisation-aggregator

stax-iam-access-analyzer

stax-assurance-config

stax-assurance-cis-benchmark

stax-vpc-flowlog-cwl

stax-event-internal-rules

stax-unused-iam-credentials-remediation (Type: AWS Config Config Recorder)

SSM-SessionManagerRunShell (Type: SSM Document)

GuardDuty: Enabled Organization-wide, Delegated Administrator

Config: Enabled Organization-wide, Delegated Administrator

IAM Access Analyzer: Enabled Organization-wide, Delegated Administrator

Firewall Manager: Enabled Organization-wide, Delegated Administrator

Compute Optimizer: Enabled Organization-wide, Delegated Administrator
stax-cloudtrail-master

stax-config-master

stax-session-manager

stax-vpc-flowlog-bucket

stax-assurance-config

stax-assurance-cis-benchmark

stax-vpc-flowlog-cwl

stax-event-internal-rules
stax-assurance-config

stax-assurance-cis-benchmark

stax-vpc-flowlog-cwl

stax-event-internal-rules
Billing
stax-raw-cur-* (Type: S3 Bucket)NoneNoneNone
Identity & Access
NoneNoneNonestax-spotlight-service-role

stax-aws-support (Type: IAM Role)

stax-stackset-member-role

stax-stackset-administrator-role

stax-api-token-management

stax-onboarding-management-role (Discovered accounts only)

stax-idp

stax-admin-idp

stax-id (Type: IAM IdP)

stax-admin (Type: IAM IdP)

It is recommended that the above resources are deleted after offboarding completes.
Stax Events
NoneNoneNonestax-aws-support-events (us-east-1)
Other
<stax_account_name>-<aws_account_id> (Type: IAM Account Alias)

<account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone)

Stax Example Policies (Type SCP), including:

stax-s3-force-encryption

stax-no-new-igw

stax-protect-cloudwatch

stax-ap-southeast-2-only

stax-protect-vpc-flow-logs
stax-aws-support (Type: IAM Role)

<stax_account_name>-<aws_account_id> (Type: IAM Account Alias)

<account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone)
stax-support-metrics (Type: IAM Role)

<stax_account_name>-<aws_account_id> (Type: IAM Account Alias)

<account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone)
<stax_account_name>-<aws_account_id> (Type: IAM Account Alias)

<account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone)