Service Control Policies for Global Protection
Stax implements Service Control Policies (SCPs) to protect critical Stax resources within AWS accounts. Working within the boundaries of these SCPs requires some basic consideration.
stax-protection-aws-baseline SCP
To minimize security risks and pitfalls in your AWS accounts, this policy is attached to the root of your AWS Organization which includes common AWS best practice protections. The policy can be reviewed in the Policies section of the Stax Console. As it is a Stax-managed policy, it is mandatory and cannot be removed from your organization.
This policy is defined by the Configurable Guardrails feature, which allows you to fine-tune protections according to your organization's needs. For more information, see Configurable Guardrails.
By default, your AWS Organization will have the service control policy stax-protection-aws-baseline-1 attached. Given the dynamic nature of Configurable Guardrails, you may see additional stax-protection-aws-baseline policies attached to your AWS Organization root.
stax-protection-stax-resources SCP
To protect critical resources required for the operation of Stax's features and functionality, a default SCP is attached to the root in your AWS Organization. This mandatory SCP can be reviewed in the Policies section of the Stax Console.
There are resource name prefixes reserved for use by Stax. Resources created with these prefixes will be either hidden, or access to them disabled by the SCP.
The reserved prefixes are:
- stax-
- cloudtrail-
Avoid creating resources that begin with any of these prefixes. In most cases AWS and Stax will prohibit you from creating resources using these prefixes. Stax is unable to provide support for editing/updating resources that are created using these prefixes. If you inadvertently create resources using these prefixes, please raise a support case to discuss options for regaining control of the resource.
StaxFullAWSAccess SCP
Stax is unsupported in some AWS regions. This is due to the absence of mandatory AWS services. See Supported Regions for more detail on which regions are supported.
The StaxFullAWSAccess SCP is applied to Stax-managed AWS Organizations with an account ownership model whereby the customer owns the management account. This SCP is attached to the root of your Stax-managed AWS Organization. For Stax-managed AWS Organizations with a reseller-owned management account, the SCP has additional controls in place to prevent the inaccurate display of some billing information in Stax-managed AWS Accounts.
This StaxFullAWSAccess SCP also includes the contents of the AWS-managed FullAWSAccess service control policy to reduce the number of policies attached to the root of the Stax-managed AWS Organization whilst still providing standard access to the organization. Thus, it is highly recommended not to detach the policy.
foundation SCP
Stax Assurance applies hardening to minimize security risks and vulnerabilities within your AWS accounts. The Security and Logging accounts play a central role within the Stax Assurance process. To ensure that the hardening performed by Stax Assurance is not compromised, Stax applies the foundation SCP to the Security and Logging accounts.