Offboarding your AWS Organization from Stax
Should your organization decide to remove Stax from its AWS environment, there are a series of steps that must be completed in order to successfully do this. These steps should be completed in consultation with the Customer Support team or your Customer Success Manager. Before you begin the offboarding process, be aware that:
- Resources will be removed from Foundation accounts: Stax resources will be removed from Foundation accounts. Some Stax security protections will be retained to minimise disruption and promote good account security. Once the Stax offboarding is complete, you are free to alter or remove these resources.
- Resources will not be removed from member accounts: Stax-created resources in member accounts will be retained as part of this process. Once the Stax offboarding is complete, you are free to alter or remove these resources.
- Access to the Stax Console will be removed: Once the offboarding process is complete, you will no longer be able to access the Stax console or API. In addition, the Stax Identity Service will be deprovisioned, so access to AWS accounts via Stax or stax2aws will no longer be available. Access AWS accounts directly using either root user credentials or an IAM User.
To begin the offboarding process, raise a support case within the Stax console. For organizations using the resold Account Ownership Model, be aware that the management account must be transferred into your organization's name before offboarding can begin. There are three main steps in this transfer process.
- Assess if an AWS Consent to Assignment (CTA) is required
- If required only, complete the AWS CTA Letter (this may take several weeks)
- The account and billing details within the management account will be updated by Stax
Resources removed during offboarding
The below table provides an overview of Stax resources that will be removed during offboarding. All resources are CloudFormation stacks deployed in the Stax Installation Region, unless otherwise specified.
| Management Account | Security Account | Logging Account | Member Accounts |
|---|---|---|---|
| Identity & Access | |||
| stax-spotlight-service-role stax-stackset-member-role stax-stackset-administrator-role stax-api-token-management stax-idp stax-admin-idp stax-spotlight-etl-<region>-master stax-spotlight-billing-role | stax-api-token-management stax-spotlight-service-role stax-stackset-member-role stax-stackset-administrator-role stax-api-token-management stax-idp stax-admin-idp stax-idam-admin-password-rotation idam-IdamWebAclAssociation-* idam-IdamStack-* idam-IdamWaf-* idam-IdamVpc-* staxid (Type: IAM IdP) stax-admin (Type: IAM IdP) | stax-spotlight-realtime-rule-alert-role stax-spotlight-service-role stax-stackset-member-role stax-stackset-administrator-role stax-api-token-management stax-idp staxid (Type: IAM IdP) stax-admin (Type: IAM IdP) | None |
| Billing | |||
| stax-etl-billing-management-<region>-master stax-billing-ebc-management-<region>-master stax-etl-deployment-<region>-master- (Type: S3 Bucket) stax-spotlight-transformed-cur-*- (Type: S3 Bucket) /aws/lambda/stax-spotlight-etl-stax* (CloudWatch Log Group) | None | None | None |
| Stax Events | |||
| stax-cloudtrail-activity-forwarder stax-aws-support-events (Region: us-east-1) stax-aws-support-events (Region: us-east-1) | stax-event-api-destination-rules stax-aws-support-events (Region: us-east-1) <stax_organization_id>-api-key (Type: Secrets Manager) | stax-cloudtrail-spotlight-forwarder stax-cloudtrail-activity-forwarder-master stax-aws-support-events (Region: us-east-1) | None |
| Stax Assurance | |||
| stax-protection-aws-baseline (Type: SCP) stax-protection-foundation (Type: SCP) stax-protection-stax-resources (Type: SCP) stax-protection-unsupported-region (Type: SCP) stax-protection-unsupported-resell (Type: SCP) stax-OrgAdminOnly (Type: SCP) | None | None | None |
Resources retained during offboarding
The below table provides an overview of Stax resources that will not be removed during offboarding. All resources are CloudFormation stacks deployed in the Stax Installation Region, unless otherwise specified.
| Management Account | Security Account | Logging Account | Member Accounts |
|---|---|---|---|
| Stax Assurance | |||
| stax-compute-optimizer stax-assurance-cloudtrail stax-assurance-config stax-assurance-cis-benchmark stax-vpc-flowlog-cwl stax-event-internal-rules Organization Trail (Type: CloudTrail trail) stax-protection-account-pool (Type SCP) | stax-fms-notification-channel stax-config-organisation-aggregator stax-iam-access-analyzer stax-assurance-config stax-assurance-cis-benchmark stax-vpc-flowlog-cwl stax-event-internal-rules stax-unused-iam-credentials-remediation (Type: AWS Config Config Recorder) SSM-SessionManagerRunShell (Type: SSM Document) GuardDuty: Enabled Organization-wide, Delegated Administrator Config: Enabled Organization-wide, Delegated Administrator IAM Access Analyzer: Enabled Organization-wide, Delegated Administrator Firewall Manager: Enabled Organization-wide, Delegated Administrator Compute Optimizer: Enabled Organization-wide, Delegated Administrator | stax-cloudtrail-master stax-config-master stax-session-manager stax-vpc-flowlog-bucket stax-assurance-config stax-assurance-cis-benchmark stax-vpc-flowlog-cwl stax-event-internal-rules | stax-assurance-config stax-assurance-cis-benchmark stax-vpc-flowlog-cwl stax-event-internal-rules stax-iam-access-analyzer-member |
| Billing | |||
| stax-raw-cur-* (Type: S3 Bucket) | None | None | None |
| Identity & Access | |||
| None | None | None | stax-spotlight-service-role stax-aws-support (Type: IAM Role) stax-stackset-member-role stax-stackset-administrator-role stax-api-token-management stax-onboarding-management-role (Discovered accounts only) stax-idp stax-admin-idp stax-id (Type: IAM IdP) stax-admin (Type: IAM IdP) It is recommended that the above resources are deleted after offboarding completes. |
| Stax Events | |||
| None | None | None | stax-aws-support-events (us-east-1) |
| Other | |||
| <stax_account_name>-<aws_account_id> (Type: IAM Account Alias) <account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone) Stax Example Policies (Type SCP), including: stax-s3-force-encryption stax-no-new-igw stax-protect-cloudwatch stax-ap-southeast-2-only stax-protect-vpc-flow-logs | stax-aws-support (Type: IAM Role) <stax_account_name>-<aws_account_id> (Type: IAM Account Alias) <account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone) | stax-support-metrics (Type: IAM Role) <stax_account_name>-<aws_account_id> (Type: IAM Account Alias) <account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone) | <stax_account_name>-<aws_account_id> (Type: IAM Account Alias) <account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone) |
Route 53 Hosted Zones
The below information only applies to organizations with Route 53 hosted zones created by Stax under the staxapp.cloud domain. Check your AWS accounts for the presence of these zones to determine if you're affected.
When an AWS Organization is onboarded to Stax, a DNS zone and delegation is configured within Route 53 in the organization to allow resolving of Stax resources within the organization. When the organization is offboarded, that DNS zone is retained, but the delegation for it is removed from the public DNS. This means that resolution of these records will fail.
Organizations should, as part of offboarding, review any records created in these hosted zones and migrate them to zones that you control.