Skip to main content

Using Organizational Units in Stax

Stax provides users with the ability to manage AWS Organizational Units (OUs) natively within the console or API/SDK. OUs are important building blocks that allow you to organize your accounts into a hierarchy and apply management controls against that heirarchy. Stax recommends that you utilise OUs as part of your Organizational structure and adhere to the best practices outlined by AWS. An important use case for OUs is the management of AWS account access permissions, which can be done via service control policies (SCPs).

Stax tenancies are provisioned with three OUs: Stax Security, Stax Default, and Stax Account Pool. These OUs are found under root in your AWS Organization and each performs a unique function:

  • Stax Security: The Security and Logging accounts are housed in this OU, in alignment with the AWS Security Reference Architecture. A protective SCP is attached to both of these accounts by Stax to protect critical Stax-managed resources.

  • Stax Default: Users can utilise this OU for housing their accounts, however, Stax recommends that you define a new set of OUs that align to your business model. This OU can be removed if it is not being utilised.

  • Stax Account Pool: Stax pre-creates a pool of AWS accounts within your Organization to reduce the time it takes to create a Stax account. These accounts reside in this OU. See Understanding Account Pools for more information.

Before You Begin

  • Ensure you are a member of the Admin role in your Stax tenancy

  • Stax recommends that you manage OUs and their associated SCPs from within Stax. At this point in time, Stax does not maintain a data sync between AWS and Stax. Therefore, if you make updates to OUs and SCPs from within AWS, these will not be reflected within Stax.

  • OUs can only be nested up to five levels deep. See the AWS documentation for more details.

Create an OU

  1. Log in to the Stax Console

  2. Select Organization

  3. Click Organizational Units in the sub-menu, beneath Organizations

  4. Click + Create Organizational Unit

  5. Provide a name, Parent Organizational Unit and Tags

  6. Click Create

Edit an OU

  1. Log in to the Stax Console

  2. Select Organization

  3. Click Organizational Units in the sub-menu, beneath Organizations

  4. Select the OU that you would like edit

  5. Select the Actions dropdown

  6. Click Edit Organizational Unit

  7. Update the name and/or tags (the Parent Organizational Unit cannot be updated)

  8. Click Save

Add an Account to an OU

  1. Log in to the Stax Console

  2. Select Organization

  3. Click Organizational Units in the sub-menu, beneath Organizations

  4. Select the OU that you would like to add an account to

  5. Select the Actions dropdown

  6. Click Add Accounts

  7. Select the accounts you would like to add

  8. Click Save

Move an Account from an OU

  1. Log in to the Stax Console

  2. Select Organization

  3. Click Organizational Units in the sub-menu, beneath Organizations

  4. Select the account's existing OU. This is the OU which currently contains the account

  5. Select the Actions dropdown

  6. Click Move Accounts

  7. Select the Destination Organizational Unit

  8. Select the accounts you would like to move

  9. Click Save

Delete an OU

  1. Log in to the Stax Console

  2. Select Organization

  3. Click Organizational Units in the sub-menu, beneath Organizations

  4. Select the OU that you would like edit

  5. Select the Actions dropdown

  6. Click Delete OU

  7. Click Confirm