About Identity and Access
Users can be granted different levels of access to both Stax itself, and to the AWS accounts managed by Stax. The Stax Identity Service governs access to Stax and to Stax-managed AWS accounts.
This guidance assumes that your AWS accounts are Stax-managed. If you only have the Cost & Compliance module, review this article instead.
The Stax Identity Service is hosted in the security account. As such, it is recommended that only trusted administrators have access to this account.
IAM resources, including roles and identity providers, are deployed by Stax into all Stax-managed AWS accounts. These are used by the Identity Service to enable single sign-on into these accounts. It also allows Stax's automation to create and update resources.
The Identity Service also facilitates access for Stax engineers in the event that you require Stax's support team to access your accounts. This access, however, is only available upon receipt of written approval via a support case.
Accessing Stax
Stax can be accessed using either the Stax Console in a web browser, or the Stax API (either directly or via the SDK). Access to the Console is restricted to Users, and access to the API and SDK is permitted using API Tokens.
Management of Stax Console access is via the Users page in the customer menu. Users of your Stax tenancy are listed on the Users page and can be created, edited, and deactivated as required.
Stax provides four roles for governing access to the Stax Console and API:
- Admin: Provides unrestricted access to Stax
- Operations: Provides a high level of access to Stax
- User: Provides restricted access to Stax, most notably with regard to user management
- Read Only: Provides read-only access to Stax
- Cost & Compliance Admin: Provides read-only access to Stax, except for the Cost & Compliance module, where admin levels of access are granted. This role is available for Console users only
See Stax Permissions for more detail on these roles.
Federated Access
While Stax can be accessed using local credentials where Stax stores user credentials, the recommended practice is to enable Single Sign-On by federating Stax with your corporate identity provider (for example, Okta, Ping, or Microsoft Entra ID/Azure AD). This allows integration of your existing user base, credentials, and security protections into Stax.
Federated users are provisioned in Stax when you first log in via your corporate identity provider, or are provisioned in advance if your administrator has configured SCIM (System for Cross-domain Identity Management).
Federated users will appear on the Users page in Stax, though they are unable to be modified, only deactivated. Any change to federated users must occur in the identity provider.
Accessing Stax-managed AWS accounts
Stax provides native single sign-on into Stax-managed AWS accounts. Users can sign in to AWS accounts via the Stax Console using any roles assigned to them by their group membership.
Groups are assigned a certain level of privilege to Account Types. Access must be granted at the group to Account Type level, it is not possible to assign users access to accounts directly.
Deploy customized AWS roles using Permission Sets.
Additionally Stax provides the following built-in roles:
- Admin: maps to the AWS AdministratorAccess managed policy, providing unrestricted access to the AWS account. This role shows in the AWS console and logs as staxid-admin-role
- Developer: maps to the AWS SystemAdministrator managed policy, providing restricted access to the AWS account. This role shows in the AWS console and logs as staxid-developer-role
- Read Only: maps to the AWS ReadOnlyAccess managed policy, providing read-only access to the AWS account. This role shows in the AWS console and logs as staxid-readonly-role
When users authenticate to Stax-managed AWS accounts using the Stax Identity Service, audit information is recorded in the logging account.