Skip to main content

Configurable Guardrails

Configurable Guardrails allow you to harden all accounts in your Stax-managed AWS Organization using AWS best practice protections. These protections can be enabled or disabled so that you can improve and fine-tune your organization's security posture in just a few clicks.

You can harden your Stax-managed AWS Organization with the following guardrails:

  • Block enabling or disabling regions
  • Block AWS account closure
  • Block any changes to AWS Config
  • Block all EBS snapshots from being publicly restorable
  • Block EBS direct API calls
  • Block disabling EBS encryption by default
  • Block public access on AMIs
  • Block any changes to GuardDuty
  • Block all actions as root user
  • Block the creation of any IAM users
  • Block modification of IAM user password policies
  • Block any changes to IAM access keys and login profiles
  • Require IAM authentication for Lambda function URLs
  • Block all access to Amazon Macie
  • Block account from leaving the organization
  • Block external access to resources via AWS Resource Access Manager
  • Block changes to Route 53 domains
  • Block deletion of S3 Glacier vaults and archives
  • Require bucket ownership for objects in new buckets
  • Block changes to account-wide S3 public access block settings
  • Block any changes to Security Hub
  • Block changes to AWS Systems Manager public sharing settings
  • Block changes to Session Manager default preferences
  • Block creation of default VPC and subnet
  • Block deleting VPC flow logs

Follow the instructions below to set up Configurable Guardrails for your Stax-managed AWS Organization or see the Stax API.

Before You Begin

  • Estimated time to complete: 5 minutes
  • Ensure you are a member of the Admin role in your Stax tenancy

Setting Up Configurable Guardrails

  1. Log in to the Stax Console
  2. Click on the Organization menu item, and then click on the Foundation Services sub-item
  3. Click on the Configurable Guardrails tile
  4. You should see a list of guardrails, grouped by AWS service
  5. Click on the edit button to begin updating your Configurable Guardrails settings
  6. Enable or disable a guardrail by clicking on the corresponding toggle. You may enable additional guardrails to further harden all accounts in the organization. Conversely, guardrails can also be toggled off.
  7. Review your changes and click on the Save button

Allow for some time while configuration is in progress. One configured, the Configurable Guardrails tile should transition from Configuring to Active on the Foundation Services page.