Manage AWS Organizational Units and Service Control Policies in Stax

Stax manages AWS Organizations in alignment with established best practices. As a result, Stax-managed AWS Organizations will be uplifted to adhere to the organizational structure recommended in the AWS Security Reference Architecture and the Organizing Your AWS Environment Using Multiple Accounts whitepaper. In addition to this, new functionality will be introduced to allow tenancies to better utilize Organizational Units (OUs) and service control policies (SCPs).

The new functionality will be released in two stages and will be staggered over an eight week period to allow organizations time to adequately prepare for the changes. There are two important changes that may affect your day-to-day operations:

A Security OU will be created in your AWS Organization and your Security and Logging accounts will be migrated into this new OU
You will no longer be able to attach/detach Stax Policies to/from Account Types. Instead, you will now attach/detach Stax Policies to/from accounts or OUs. Account Types will only be utilized for managing identity and access with Permission Sets. Existing Account Type policy attachments will appear as direct attachments to accounts.

Release Schedule

Release Name and Date	Change Overview and Considerations
Release 1 3-15 April 2023	Release 1 will make only minor updates to AWS Organizations. The changes that will be made include: The existing Stax-managed OU, which is named with a UUID, will be renamed to Stax Default The existing Unallocated OU, which houses the Account Pool, will be renamed to Stax Account Pool A Stax Security OU will be created. It will, at the time of Release 2, be used to house your Security and Logging accounts See the diagram below for more information.
Release 2 Approx. late June - late August 2023	Release 2 will provide full access to the new OU and Policies functionality. Changes include: The Security and Logging accounts will be moved to the Stax Security OU A POST, PUT, and DELETE OU route will be made available in the API A POST and DELETE Policy route will be made available in the API, which will enable you to attach/detach SCPs to/from Accounts and OUs The PUT /20190206/account-types/policies route will be deprecated Updates to the Policy method's schema implementation. The API documentation for the new Policies schema can be found here, with the release of this feature the Policyv2 schema will be renamed to replace Policy. Removed: Attachableto is no longer defined in the schema Removed: Mandatory is no longer defined in the schema Removed: Public is no longer defined in the schema Renamed: Policy is now defined as Content in the schema Changed: Status values are now; ACTIVE, CREATE_FAILED, CREATE_IN_PROGRESS, DELETED, DELETE_FAILED, DELETE_IN_PROGRESS, UPDATE_IN_PROGRESS. Previous values; ACTIVE, DELETED, FAILED Added: AwsId is now defined in the schema Added: ExternalResource is now defined in the schema Added: OrganisationAttachment is now defined in the schema Added: PolicyOwner is now defined in the schema Added: PolicyType is now defined in the schema Added: Tags is now defined in the schema Added: UserTaskId is now defined in the schema The OUs page in the Console will allow you to create, edit and delete OUs, as well as move accounts between OUs The Policies page in the Console will allow you to attach and detach SCPs to/from Accounts, OUs, and Organizations See the diagram below for more information. Important Considerations: The PUT /20190206/account-types/policies API route will be deprecated. It is recommended that you update any automation pipelines that utilise this API route. Note that existing SCPs attached to Account Types will not be removed. Instead, they will appear as direct attachments on individual accounts. It is recommended that you configure your new OU structure after Release 2 occurs and attach SCPs at the OU level The Security and Logging account will be moved to the Stax Security OU. You must validate and potentially update any services that are utilizing OUs, such as AWS CloudFormation StackSets and AWS Backup policies It is recommended that you use the Stax functionality to maintain OU and SCP resources. Any updates made directly in the AWS Organizations console/API will not be reflected in Stax at this time

Release Name and Date

Change Overview and Considerations

Release 1

3-15 April 2023

Release 1 will make only minor updates to AWS Organizations. The changes that will be made include:

The existing Stax-managed OU, which is named with a UUID, will be renamed to Stax Default
The existing Unallocated OU, which houses the Account Pool, will be renamed to Stax Account Pool
A Stax Security OU will be created. It will, at the time of Release 2, be used to house your Security and Logging accounts

See the diagram below for more information.

Release 2

Approx. late June - late August 2023

Release 2 will provide full access to the new OU and Policies functionality. Changes include:

The Security and Logging accounts will be moved to the Stax Security OU
A POST, PUT, and DELETE OU route will be made available in the API
A POST and DELETE Policy route will be made available in the API, which will enable you to attach/detach SCPs to/from Accounts and OUs
The PUT /20190206/account-types/policies route will be deprecated
Updates to the Policy method's schema implementation. The API documentation for the new Policies schema can be found here, with the release of this feature the Policyv2 schema will be renamed to replace Policy.
- Removed: Attachableto is no longer defined in the schema
- Removed: Mandatory is no longer defined in the schema
- Removed: Public is no longer defined in the schema
- Renamed: Policy is now defined as Content in the schema
- Changed: Status values are now; ACTIVE, CREATE_FAILED, CREATE_IN_PROGRESS, DELETED, DELETE_FAILED, DELETE_IN_PROGRESS, UPDATE_IN_PROGRESS. Previous values; ACTIVE, DELETED, FAILED
- Added: AwsId is now defined in the schema
- Added: ExternalResource is now defined in the schema
- Added: OrganisationAttachment is now defined in the schema
- Added: PolicyOwner is now defined in the schema
- Added: PolicyType is now defined in the schema
- Added: Tags is now defined in the schema
- Added: UserTaskId is now defined in the schema
The OUs page in the Console will allow you to create, edit and delete OUs, as well as move accounts between OUs
The Policies page in the Console will allow you to attach and detach SCPs to/from Accounts, OUs, and Organizations

See the diagram below for more information.

Important Considerations:

The PUT /20190206/account-types/policies API route will be deprecated. It is recommended that you update any automation pipelines that utilise this API route. Note that existing SCPs attached to Account Types will not be removed. Instead, they will appear as direct attachments on individual accounts. It is recommended that you configure your new OU structure after Release 2 occurs and attach SCPs at the OU level
The Security and Logging account will be moved to the Stax Security OU. You must validate and potentially update any services that are utilizing OUs, such as AWS CloudFormation StackSets and AWS Backup policies
It is recommended that you use the Stax functionality to maintain OU and SCP resources. Any updates made directly in the AWS Organizations console/API will not be reflected in Stax at this time

Visual representation of AWS Organization changes

The below diagrams provide an overview of the changes that will be made to your AWS Organization as part of Release 1 and Release 2.

Manage AWS Organizational Units and Service Control Policies in Stax

Release Schedule

Visual representation of AWS Organization changes

Current State

Future State

Release Schedule​

Visual representation of AWS Organization changes​

Current State​

Future State​

Release Schedule

Visual representation of AWS Organization changes

Current State

Future State