Skip to main content

Service Control Policies for Global Protection

Stax implements Service Control Policies (SCPs) to protect critical Stax resources within AWS accounts. Working within the boundaries of these SCPs requires some basic consideration.

stax-protection-aws-baseline SCP

To minimize security risks and pitfalls in your AWS accounts, this policy is attached to the root of your AWS Organization which includes common AWS best practice protections. The policy can be reviewed in the Policies section of the Stax Console. As it is a Stax-managed policy, it is mandatory and cannot be removed from your organization.

This policy is defined by the Configurable Guardrails feature, which allows you to fine-tune protections according to your organization's needs. For more information, see Configurable Guardrails.

note

By default, your AWS Organization will have the service control policy stax-protection-aws-baseline-1 attached. Given the dynamic nature of Configurable Guardrails, you may see additional stax-protection-aws-baseline policies attached to your AWS Organization root.

stax-protection-stax-resources SCP

To protect critical resources required for the operation of Stax's features and functionality, a default SCP is attached to the root in your AWS Organization. This mandatory SCP can be reviewed in the Policies section of the Stax Console.

There are resource name prefixes reserved for use by Stax. Resources created with these prefixes will be either hidden, or access to them disabled by the SCP.

The reserved prefixes are:

  • stax-
  • cloudtrail-

Avoid creating resources that begin with any of these prefixes. In most cases AWS and Stax will prohibit you from creating resources using these prefixes. Stax is unable to provide support for editing/updating resources that are created using these prefixes. If you inadvertently create resources using these prefixes, please raise a support case to discuss options for regaining control of the resource.

stax-protection-unsupported-region/stax-protection-unsupported-resell SCP

Stax is unsupported in some AWS regions. This is due to the absence of mandatory AWS services. See Supported Regions for more detail on which regions are supported.

The stax-protection-unsupported-region SCP applies to organizations with an an account ownership model whereby the customer owns the management account. This SCP is attached to the root in your AWS Organization. For organizations with a reseller-owned management account, the stax-protection-unsupported-resell SCP is applied. This SCP is attached to the root in your AWS Organization and has additional controls in place to prevent the inaccurate display of some billing information in Stax-managed AWS accounts.

foundation SCP

Stax Assurance applies hardening to minimize security risks and vulnerabilities within your AWS accounts. The Security and Logging accounts play a central role within the Stax Assurance process. To ensure that the hardening performed by Stax Assurance is not compromised, Stax applies the foundation SCP to the Security and Logging accounts.