Using Stax-managed AWS Regions
Stax-managed AWS Regions allows you to view and enable AWS opt-in Regions for all accounts within your Stax Organization. This provides flexibility and seamless enablement of opt-in regions, bringing them in line with security and best practices through the Stax Assurance process.
Additionally, Stax offers the ability to disable AWS regions for both opt-in and AWS default regions, providing the ability to implement protections against access to regions that are not used by your Stax-managed AWS Organization.
Follow the below instructions to configure Stax-managed AWS Regions or see the Stax API.
If you choose to enable opt-in AWS Regions, ensure you are aware of the pricing for AWS services that will be enabled in the region as part of the Stax Assurance process. Enabling a new region in Stax opens the Region to all accounts within your Organization, allowing you to deploy resources and workloads in the Region. As a best practice, opt-in only to AWS Regions where you will run workloads.
Before You Begin
- Estimated time to complete: 5 minutes (enablement of an opt-in region can take a few minutes or up to 2 hours depending on the number of in-scope accounts and opt-in regions enabled)
- Ensure you are a member of the Admin role in your Stax tenancy
Enabling AWS Regions
- Log in to the Stax Console
- Click Organization in the left-hand nav
- Choose Foundation Services in the sub-menu, beneath Service Control Policies
- Choose the settings cog on the Stax-managed AWS Regions tile
- Click on the Edit icon next to Settings to enable regions supported by Stax
- Choose the region(s) you wish to enable by clicking the toggle next to the region
- Click Save
Enabling AWS Regions will take some time to configure depending on the number of AWS accounts you have. Once configured, Stax-managed AWS Regions will transition from Configuring to Active on the Foundation Services page.
Disabling AWS Regions
You can disable opt-in regions and default regions using the same steps as above. Your Stax tenancy's control plane region cannot be disabled.
Before selecting regions to disable, confirm that your Stax-managed AWS Organization:
- Does not have the selected regions set as linked regions in your organization's Stax-managed Security Hub settings
- Does not have any Networking resources deployed to the selected regions
- Does not have any Workloads deployed to the selected regions
- Does not have any other AWS resources created
Otherwise, any AWS resources that are still deployed in the selected regions may continue to attract costs for your Stax-managed AWS Organization.
External Management of AWS Regions
Changes made to the Organization's AWS Regions outside of Stax, such as the AWS console or AWS SDK, will not be preserved by Stax. When the Stax assurance process is run, your AWS Region settings will be reset to the configuration specified in the Stax-managed AWS Regions service.
Using Amazon Bedrock
Amazon Bedrock provides two types of inference profiles for model invocation:
- Cross-region inference profiles, which are predefined profiles provided by Amazon Bedrock. Model invocation requests may be routed through different regions, including regions that aren't supported by Stax.
- Application inference profiles, which are user-managed. By using an application inference profile, you can able to specify the regions that model invocation requests are routed through.
If your Stax-managed AWS Organization uses Amazon Bedrock, it is recommended to use application inference profiles for best results in order for requests to be routed through only enabled regions.