Offboarding your AWS Organization from Stax
Should your organization decide to remove Stax from its AWS environment, there are a series of steps that must be completed in order to successfully do this. These steps should be completed in consultation with the Customer Support team or your Customer Success Manager. Before you begin the offboarding process, be aware that:
- Resources will be removed from Foundation accounts: Stax resources will be removed from Foundation accounts. Some Stax security protections will be retained to minimise disruption and promote good account security. Once the Stax offboarding is complete, you are free to alter or remove these resources.
- Resources will not be removed from member accounts: Stax-created resources in member accounts will be retained as part of this process. Once the Stax offboarding is complete, you are free to alter or remove these resources.
- Access to the Stax Console will be removed: Once the offboarding process is complete, you will no longer be able to access the Stax console or API. In addition, the Stax Identity Service will be deprovisioned, so access to AWS accounts via Stax or stax2aws will no longer be available. Access AWS accounts directly using either root user credentials or an IAM User.
To begin the offboarding process, raise a support case within the Stax console. For organizations using the resold Account Ownership Model, be aware that the management account must be transferred into your organization's name before offboarding can begin. There are three main steps in this transfer process.
- Assess if an AWS Consent to Assignment (CTA) is required
- If required only, complete the AWS CTA Letter (this may take several weeks)
- The account and billing details within the management account will be updated by Stax
Resources removed during offboarding
The below tables provides an overview of Stax resources that will be removed during offboarding. All resources are CloudFormation stacks deployed in the Stax Installation Region, unless otherwise specified. The headings indicate the account type that holds the affected resource.
Identity & Access
| Resource | Management | Security | Logging | Member |
|---|
stax-spotlight-service-role | ☑︎ | ☑︎ | ☑︎ | |
stax-stackset-member-role | ☑︎ | ☑︎ | ☑︎ | |
stax-stackset-administrator-role | ☑︎ | ☑︎ | ☑︎ | |
stax-api-token-management | ☑︎ | ☑︎ | ☑︎ | |
stax-idp | ☑︎ | ☑︎ | ☑︎ | |
stax-admin-idp | ☑︎ | ☑︎ | | |
stax-spotlight-etl-<region>-master | ☑︎ | | | |
stax-spotlight-billing-role | ☑︎ | | | |
stax-idam-admin-password-rotation | | ☑︎ | | |
idam-IdamWebAclAssociation-* | | ☑︎ | | |
idam-IdamStack-* | | ☑︎ | | |
idam-IdamWaf-* | | ☑︎ | | |
idam-IdamVpc-* | | ☑︎ | | |
staxid (Type: IAM IdP) | | ☑︎ | ☑︎ | |
stax-admin (Type: IAM IdP) | | ☑︎ | ☑︎ | |
stax-spotlight-realtime-rule-alert-role | | | ☑︎ | |
Billing
| Resource | Management | Security | Logging | Member |
|---|
stax-etl-billing-management-<region>-master | ☑︎ | | | |
stax-billing-ebc-management-<region>-master | ☑︎ | | | |
stax-etl-deployment-<region>-master-* (Type: S3 Bucket) | ☑︎ | | | |
stax-spotlight-transformed-cur-* (Type: S3 Bucket) | ☑︎ | | | |
/aws/lambda/stax-spotlight-etl-stax* (CloudWatch Log Group) | ☑︎ | | | |
Stax Events
| Resource | Management | Security | Logging | Member |
|---|
stax-cloudtrail-activity-forwarder | ☑︎ | | | |
stax-aws-support-events (Region: us-east-1) | ☑︎ | ☑︎ | ☑︎ | |
<stax_organization_id>-api-key (Type: Secrets Manager) | | ☑︎ | | |
stax-cloudtrail-spotlight-forwarder | | | ☑︎ | |
stax-cloudtrail-activity-forwarder-master | | | ☑︎ | |
Stax Assurance
| Resource | Management | Security | Logging | Member |
|---|
stax-protection-aws-baseline (Type: SCP) | ☑︎ | | | |
stax-protection-foundation (Type: SCP) | ☑︎ | | | |
stax-protection-stax-resources (Type: SCP) | ☑︎ | | | |
stax-protection-unsupported-region (Type: SCP) | ☑︎ | | | |
stax-protection-unsupported-resell (Type: SCP) | ☑︎ | | | |
stax-OrgAdminOnly (Type: SCP) | ☑︎ | | | |
Resources retained during offboarding
The below table provides an overview of Stax resources that will not be removed during offboarding. All resources are CloudFormation stacks deployed in the Stax Installation Region, unless otherwise specified.
Identity & Access
| Resource | Management | Security | Logging | Member |
|---|
stax-spotlight-service-role | | | | ☑︎ |
stax-aws-support (Type: IAM Role) | | | | ☑︎ |
stax-stackset-member-role | | | | ☑︎ |
stax-stackset-administrator-role | | | | ☑︎ |
stax-api-token-management | | | | ☑︎ |
stax-onboarding-management-role (Discovered accounts only) | | | | ☑︎ |
stax-idp | | | | ☑︎ |
stax-admin-idp | | | | ☑︎ |
stax-id (Type: IAM IdP) | | | | ☑︎ |
stax-admin (Type: IAM IdP) | | | | ☑︎ |
It is recommended that the above resources are deleted after offboarding completes.
Billing
| Resource | Management | Security | Logging | Member |
|---|
stax-raw-cur-* (Type: S3 Bucket) | ☑︎ | | | |
Stax Events
| Resource | Management | Security | Logging | Member |
|---|
stax-aws-support-events (us-east-1) | | | | ☑︎ |
Stax Assurance
| Resource | Management | Security | Logging | Member |
|---|
stax-compute-optimizer | ☑︎ | | | |
stax-assurance-cloudtrail | ☑︎ | | | |
stax-assurance-config | ☑︎ | ☑︎ | ☑︎ | ☑︎ |
stax-assurance-cis-benchmark | ☑︎ | ☑︎ | ☑︎ | ☑︎ |
stax-vpc-flowlog-cwl | ☑︎ | ☑︎ | ☑︎ | ☑︎ |
stax-event-internal-rules | ☑︎ | ☑︎ | ☑︎ | ☑︎ |
stax-iam-access-analyzer-member | | | | ☑︎ |
Organization Trail (Type: CloudTrail trail) | ☑︎ | | | |
stax-protection-account-pool (Type SCP) | ☑︎ | | | |
stax-fms-notification-channel | | ☑︎ | | |
stax-config-organisation-aggregator | | ☑︎ | | |
stax-iam-access-analyzer | | ☑︎ | | |
stax-unused-iam-credentials-remediation (Type: AWS Config Config Recorder) | | ☑︎ | | |
SSM-SessionManagerRunShell (Type: SSM Document) | | ☑︎ | | |
| GuardDuty: Enabled Organization-wide, Delegated Administrator | | ☑︎ | | |
| Config: Enabled Organization-wide, Delegated Administrator | | ☑︎ | | |
| IAM Access Analyzer: Enabled Organization-wide, Delegated Administrator | | ☑︎ | | |
| Firewall Manager: Enabled Organization-wide, Delegated Administrator | | ☑︎ | | |
| Compute Optimizer: Enabled Organization-wide, Delegated Administrator | | ☑︎ | | |
stax-cloudtrail-master | | | ☑︎ | |
stax-config-master | | | ☑︎ | |
stax-session-manager | | | ☑︎ | |
stax-vpc-flowlog-bucket | | | ☑︎ | |
Other
| Resource | Management | Security | Logging | Member |
|---|
<stax_account_name>-<aws_account_id> (Type: IAM Account Alias) | ☑︎ | ☑︎ | ☑︎ | ☑︎ |
<account_name>.<organization_alias>.<stax_installation_domain> (Type: Route 53 Hosted Zone) | ☑︎ | ☑︎ | ☑︎ | ☑︎ |
Stax Example Policies (Type SCP), including:
stax-s3-force-encryption
stax-no-new-igw
stax-protect-cloudwatch
stax-ap-southeast-2-only
stax-protect-vpc-flow-logs | ☑︎ | | | |
stax-aws-support (Type: IAM Role) | | ☑︎ | | |
stax-support-metrics (Type: IAM Role) | | | ☑︎ | |
Route 53 Hosted Zones
The below information only applies to organizations with Route 53 hosted zones created by Stax under the staxapp.cloud domain. Check your AWS accounts for the presence of these zones to determine if you're affected.
When an AWS Organization is onboarded to Stax, a DNS zone and delegation is configured within Route 53 in the organization to allow resolving of Stax resources within the organization. When the organization is offboarded, that DNS zone is retained, but the delegation for it is removed from the public DNS. This means that resolution of these records will fail.
Organizations should, as part of offboarding, review any records created in these hosted zones and migrate them to zones that you control.