Understanding the StaxManagement Role
From time to time, Stax automation will make updates to Stax-managed AWS accounts. Updates are most commonly applied by the Stax Assurance process. The updates may include improved security controls, additional features, or just routine maintenance. Stax leverages IAM roles to apply these updates and manages these roles in accordance with the principle of least privilege. There are different roles used from time to time for specific tasks. A list of these is available by reviewing Stax Management Roles below.
Using CloudTrail to Identify StaxManagement Activities
AWS CloudTrail can be leveraged to determine what activities the StaxManagement role has performed within your account.
When reviewing CloudTrail logs, the sessionContext
section will contain a reference to the StaxManagement role. Specifically, it will contain the below attributes:
"arn": "arn:aws:iam::<AWSAccountID>:role/stax/StaxManagement",
"userName": "StaxManagement"
Stax Management Roles
From time to time, other roles may be utilized by Stax to implement changes and updates. These roles should be monitored accordingly in any security or other log analytics tooling in use.
- StaxApiTokenManagement
- StaxAWSSupportManagement
- StaxEventBusTargetRole
- StaxEventsManagement
- StaxIdamManagement
- StaxManagement
- StaxNetworkingManagement
- StaxOrgManagement
- StaxPermissionSetsManagement
- stax-spotlight-service-role-StaxIamRole-<unique_id>
- stax-spotlight-billing-role-StaxIamRole-<unique_id>
- staxid-workload-deploy-admin
Under very limited circumstances, a Stax Engineer will utilize the following role when accessing your account:
- stax-admin-admin-role