Using Organizational Units in Stax
Stax provides users with the ability to manage AWS Organizational Units (OUs) natively within the console or API/SDK. OUs are important building blocks that allow you to organize your accounts into a hierarchy and apply management controls against that heirarchy. Stax recommends that you utilise OUs as part of your Organizational structure and adhere to the best practices outlined by AWS. An important use case for OUs is the management of AWS account access permissions, which can be done via service control policies (SCPs).
Stax tenancies are provisioned with three OUs: Stax Security, Stax Default, and Stax Account Pool. These OUs are found under root in your AWS Organization and each performs a unique function:
- Stax Security: The Security and Logging accounts are housed in this OU, in alignment with the AWS Security Reference Architecture. A protective SCP is attached to both of these accounts by Stax to protect critical Stax-managed resources.
- Stax Default: Users can utilise this OU for housing their accounts, however, Stax recommends that you define a new set of OUs that align to your business model. This OU can be removed if it is not being utilised.
- Stax Account Pool: Stax pre-creates a pool of AWS accounts within your Organization to reduce the time it takes to create a Stax account. These accounts reside in this OU. See Understanding Account Pools for more information.