Understanding the StaxManagement Role

From time to time, Stax automation will make updates to Stax-managed AWS accounts. Updates are most commonly applied by the Stax Assurance process. The updates may include improved security controls, additional features, or just routine maintenance. Stax leverages IAM roles to apply these updates and manages these roles in accordance with the principle of least privilege. There are different roles used from time to time for specific tasks. A list of these is available by reviewing Stax Management Roles below.

Using CloudTrail to Identify StaxManagement Activities

AWS CloudTrail can be leveraged to determine what activities the StaxManagement role has performed within your account.

When reviewing CloudTrail logs, the sessionContext section will contain a reference to the StaxManagement role. Specifically, it will contain the below attributes:

"arn": "arn:aws:iam::<AWSAccountID>:role/stax/StaxManagement",
"userName": "StaxManagement"

Stax Management Roles

From time to time, other roles may be utilized by Stax to implement changes and updates. These roles should be monitored accordingly in any security or other log analytics tooling in use.

StaxApiTokenManagement
StaxAWSSupportManagement
StaxEventBusTargetRole
StaxEventsManagement
StaxIdamManagement
StaxManagement
StaxNetworkingManagement
StaxOrgManagement
StaxPermissionSetsManagement
stax-spotlight-service-role-StaxIamRole-<unique_id>
stax-spotlight-billing-role-StaxIamRole-<unique_id>
staxid-workload-deploy-admin

Under very limited circumstances, a Stax Engineer will utilize the following role when accessing your account:

stax-admin-admin-role

Using CloudTrail to Identify StaxManagement Activities​

Stax Management Roles​

Using CloudTrail to Identify StaxManagement Activities

Stax Management Roles